| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to reports on and purchase of information technology by |
|
|
state agencies. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 552.139(b), Government Code, is amended |
|
|
by adding subsection (4) to read as follows: |
|
|
(b) The following information is confidential: |
|
|
(1) a computer network vulnerability report; |
|
|
(2) any other assessment of the extent to which data |
|
|
processing operations, a computer, a computer program, network, |
|
|
system, or system interface, or software of a governmental body or |
|
|
of a contractor of a governmental body is vulnerable to |
|
|
unauthorized access or harm, including an assessment of the extent |
|
|
to which the governmental body's or contractor's electronically |
|
|
stored information containing sensitive or critical information is |
|
|
vulnerable to alteration, damage, erasure, or inappropriate use; |
|
|
and |
|
|
(3) a photocopy or other copy of an identification |
|
|
badge issued to an official or employee of a governmental body. |
|
|
(4) information collected, assembled, or maintained |
|
|
by or for a governmental entity to prevent, detect, or investigate |
|
|
security incidents. |
|
|
SECTION 2. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.068 to read as follows: |
|
|
Sec. 2054.068. INFORMATION TECHNOLOGY INFRASTRUCTURE |
|
|
REPORT. (a) In this section, "information technology" includes |
|
|
information resources and information resources technologies. |
|
|
(b) The department shall collect from each state agency |
|
|
information on the status and condition of the agency's information |
|
|
technology infrastructure, including information regarding: |
|
|
(1) the agency's information security program; |
|
|
(2) an inventory of the agency's servers, mainframes, |
|
|
and other information technology equipment; |
|
|
(3) identification of vendors that operate and manage |
|
|
the agency's information technology infrastructure; and |
|
|
(4) any additional related information requested by |
|
|
the department. |
|
|
(c) A state agency shall provide the information required by |
|
|
Subsection (b) to the department according to a schedule determined |
|
|
by the department. |
|
|
(d) Not later than August 31 of each even-numbered year, the |
|
|
department shall submit to the governor, chair of the house |
|
|
appropriations committee, chair of the senate finance committee, |
|
|
speaker of the house of representatives, lieutenant governor, and |
|
|
staff of the Legislative Budget Board a consolidated report of the |
|
|
information submitted by state agencies under Subsection (b). |
|
|
(e) The consolidated report required by Subsection (d) |
|
|
must: |
|
|
(1) include an analysis and assessment of each state |
|
|
agency's security and operational risks; and |
|
|
(2) for a state agency found to be at higher security |
|
|
and operational risks, include a detailed analysis of the |
|
|
requirements for the agency to address the risks and related |
|
|
vulnerabilities and the cost estimates to implement those |
|
|
requirements. |
|
|
(f) With the exception of information that is confidential |
|
|
under Chapter 552, including Section 552.139, or other state or |
|
|
federal law, the consolidated report submitted under Subsection (d) |
|
|
is public information and must be released or made available to the |
|
|
public upon request. A governmental body as defined by Section |
|
|
552.003, Government Code, may withhold information confidential |
|
|
under Chapter 552, including Section 552.139, or other state or |
|
|
federal law that is contained in a consolidated report released |
|
|
under this section without the necessity of requesting a decision |
|
|
from the attorney general under Subchapter G, Chapter 552, |
|
|
Government Code. |
|
|
(g) This section does not apply to an institution of higher |
|
|
education or university system, as defined by Section 61.003, |
|
|
Education Code. |
|
|
SECTION 3. Section 2054.0965(a), Government Code, is |
|
|
amended to read as follows: |
|
|
(a) Not later than March 31 [December 1] of each |
|
|
even-numbered [odd-numbered] year, a state agency shall complete a |
|
|
review of the operational aspects of the agency's information |
|
|
resources deployment following instructions developed by the |
|
|
department. |
|
|
SECTION 4. Section 2157.007, Government Code, is amended by |
|
|
amending Subsection (b) and adding Subsection (e) to read as |
|
|
follows: |
|
|
(b) A state agency shall [may] consider cloud computing |
|
|
service options, including any cost savings associated with |
|
|
purchasing those service options from a commercial cloud computing |
|
|
service provider and a statewide technology center established by |
|
|
the department, when making purchases for a major information |
|
|
resources project under Section 2054.118. |
|
|
(e) Not later than August 1 of each even-numbered year, the |
|
|
department, using existing resources, shall submit a report to the |
|
|
governor, lieutenant governor, and speaker of the house of |
|
|
representatives on the use of cloud computing service options by |
|
|
state agencies. The report must include use cases that provided |
|
|
cost savings and other benefits, including security enhancements. |
|
|
A state agency shall cooperate with the department in the creation |
|
|
of the report by providing timely and accurate information and any |
|
|
assistance required by the department. |
|
|
SECTION 5. This Act takes effect September 1, 2017. |