| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to information collected about and purchases of |
|
|
information technology by governmental entities. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 552.139, Government Code, is amended by |
|
|
amending Subsection (b) and adding Subsection (b-1) to read as |
|
|
follows: |
|
|
(b) Except as provided by Subsection (b-1), the [The] |
|
|
following information is confidential: |
|
|
(1) a computer network vulnerability report; |
|
|
(2) any other assessment of the extent to which data |
|
|
processing operations, a computer, a computer program, network, |
|
|
system, or system interface, or software of a governmental body or |
|
|
of a contractor of a governmental body is vulnerable to |
|
|
unauthorized access or harm, including an assessment of the extent |
|
|
to which the governmental body's or contractor's electronically |
|
|
stored information containing sensitive or critical information is |
|
|
vulnerable to alteration, damage, erasure, or inappropriate use; |
|
|
[and] |
|
|
(3) a photocopy or other copy of an identification |
|
|
badge issued to an official or employee of a governmental body; and |
|
|
(4) information directly arising from a governmental |
|
|
body's routine efforts to prevent, detect, or investigate a |
|
|
computer security incident, including information contained in or |
|
|
derived from an information security log. |
|
|
(b-1) Subsection (b) does not apply to information related |
|
|
to a breach of system security as defined by Section 521.053, |
|
|
Business & Commerce Code. |
|
|
SECTION 2. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.068 to read as follows: |
|
|
Sec. 2054.068. INFORMATION TECHNOLOGY INFRASTRUCTURE |
|
|
REPORT. (a) In this section, "information technology" includes |
|
|
information resources and information resources technologies. |
|
|
(b) The department shall collect from each state agency |
|
|
information on the status and condition of the agency's information |
|
|
technology infrastructure, including information regarding: |
|
|
(1) the agency's information security program; |
|
|
(2) an inventory of the agency's servers, mainframes, |
|
|
cloud services, and other information technology equipment; |
|
|
(3) identification of vendors that operate and manage |
|
|
the agency's information technology infrastructure; and |
|
|
(4) any additional related information requested by |
|
|
the department. |
|
|
(c) A state agency shall provide the information required by |
|
|
Subsection (b) to the department according to a schedule determined |
|
|
by the department. |
|
|
(d) Not later than November 15 of each even-numbered year, |
|
|
the department shall submit to the governor, chair of the house |
|
|
appropriations committee, chair of the senate finance committee, |
|
|
speaker of the house of representatives, lieutenant governor, and |
|
|
staff of the Legislative Budget Board a consolidated report of the |
|
|
information submitted by state agencies under Subsection (b). |
|
|
(e) The consolidated report required by Subsection (d) |
|
|
must: |
|
|
(1) include an analysis and assessment of each state |
|
|
agency's security and operational risks; and |
|
|
(2) for a state agency found to be at higher security |
|
|
and operational risks, include a detailed analysis of, and an |
|
|
estimate of the costs to implement, the: |
|
|
(A) requirements for the agency to address the |
|
|
risks and related vulnerabilities; and |
|
|
(B) agency's efforts to address the risks through |
|
|
the: |
|
|
(i) modernization of information |
|
|
technology systems; |
|
|
(ii) use of cloud services; and |
|
|
(iii) use of a statewide technology center |
|
|
established by the department. |
|
|
(f) With the exception of information that is confidential |
|
|
under Chapter 552, including Section 552.139, or other state or |
|
|
federal law, the consolidated report submitted under Subsection (d) |
|
|
is public information and must be released or made available to the |
|
|
public on request. A governmental body as defined by Section |
|
|
552.003 may withhold information confidential under Chapter 552, |
|
|
including Section 552.139, or other state or federal law that is |
|
|
contained in a consolidated report released under this subsection |
|
|
without the necessity of requesting a decision from the attorney |
|
|
general under Subchapter G, Chapter 552. |
|
|
(g) This section does not apply to an institution of higher |
|
|
education or university system, as defined by Section 61.003, |
|
|
Education Code. |
|
|
SECTION 3. Section 2054.0965(a), Government Code, is |
|
|
amended to read as follows: |
|
|
(a) Not later than March 31 [December 1] of each |
|
|
even-numbered [odd-numbered] year, a state agency shall complete a |
|
|
review of the operational aspects of the agency's information |
|
|
resources deployment following instructions developed by the |
|
|
department. |
|
|
SECTION 4. Section 2157.007, Government Code, is amended by |
|
|
amending Subsection (b) and adding Subsection (e) to read as |
|
|
follows: |
|
|
(b) A state agency shall [may] consider cloud computing |
|
|
service options, including any security benefits and cost savings |
|
|
associated with purchasing those service options from a cloud |
|
|
computing service provider and from a statewide technology center |
|
|
established by the department, when making purchases for a major |
|
|
information resources project under Section 2054.118. |
|
|
(e) Not later than November 15 of each even-numbered year, |
|
|
the department, using existing resources, shall submit a report to |
|
|
the governor, lieutenant governor, and speaker of the house of |
|
|
representatives on the use of cloud computing service options by |
|
|
state agencies. The report must include use cases that provided |
|
|
cost savings and other benefits, including security enhancements. |
|
|
A state agency shall cooperate with the department in the creation |
|
|
of the report by providing timely and accurate information and any |
|
|
assistance required by the department. |
|
|
SECTION 5. Section 552.139(b), Government Code, as amended |
|
|
by this Act, applies only to a request for public information |
|
|
received on or after the effective date of this Act. A request |
|
|
received before the effective date of this Act is governed by the |
|
|
law in effect when the request was received, and the former law is |
|
|
continued in effect for that purpose. |
|
|
SECTION 6. This Act takes effect September 1, 2017. |