Austin, Texas
May 25, 2017

Honorable Joe Straus, Speaker of the House, House of Representatives
Ursula Parks, Director, Legislative Budget Board
HB8 by Capriglione (Relating to cybersecurity for state agency information resources.), As Passed 2nd House

The statewide fiscal implications of the bill cannot be determined at this time, but it is expected to result in a cost to the State. These costs primarily relate to provisions that would require agencies to conduct a risk assessment every two years and periodic vulnerability and penetration tests before deploying certain website or mobile applications.

The bill sets forth certain requirements all agencies would be required to follow relating to cybersecurity. Statewide costs cannot be determined because the impact would be contingent on factors such as an agency's existing information technology infrastructure, current practices, and the number of full-time equivalent positions currently supporting related services. Some agencies such as Texas A&M University and the Texas Department of Transportation estimate an indeterminate but significant cost would be incurred to comply with the requirements of the bill.

The bill also sets forth requirements that would only be applicable to certain agencies. The Sunset Advisory Commission would be required to assess agency cybersecurity practices as part of their reviews, which the Commission estimates would cost $229,890 in General Revenue Funds during the 2018-19 biennium, including 1.0 additional FTE to provide relevant subject matter expertise. This analysis assumes the Department of Information Resources (DIR) would have an estimated cumulative cost of $2.2 million and 2.0 additional FTEs for the 2018-19 biennium as a result of requirements to develop plans to address cybersecurity risks and incidents. According to DIR, costs would be funded through the Clearing Fund (Appropriated Receipts), which is generated through administrative fees charged to purchases made through DIR's Cooperative Contracts program. Entities that make purchases through the Cooperative Contracts program include state agencies, institutions of higher education, and local jurisdictions. This analysis assumes that if appropriations do not cover the cost of implementation, DIR would increase administrative fee rates to generate sufficient revenues.

The bill would require DIR to provide mandatory guidelines for all state agency information resources employees regarding continuing education for cybersecurity training and certification. The fiscal impact of continuing education would depend on the training requirements developed by DIR. Agencies such as Trusteed Programs within the Office of the Governor (Trusteed Programs) and the Health and Human Services Commission reported costs associated with ongoing training requirements could be absorbed within existing resources. The Texas Workforce Commission reported 272.0 FTEs perform IT-related projects and training these staff is estimated to cost $791,384 in General Revenue Funds for the 2018-19 biennium. It is assumed that training and certification requirements and associated costs would continue in subsequent biennia.

The bill would require each state agency to conduct a security assessment of the agency's information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities at least once every two years. Each state agency would be required to report the results of the assessment to DIR, the Governor, the Lieutenant Governor, and the Speaker of the House of Representatives by December 1 in the year in which the agency conducts the assessment. The bill would require DIR to establish the requirements for the information security assessment and report.

The bill would also require that each agency conduct a vulnerability and penetration test of each state agency's website or mobile application that processes any personally identifiable or confidential information. This provision could have a cost for some agencies, although the amount would depend on the manner in which it is implemented by the agency.

The bill would require DIR to develop a plan to address cybersecurity risks and incidents in the state, and authorizes an agreement with a national organization to support DIR's efforts in implementing components for which the agency lacks resources to address internally. This may include provisions such as providing state agencies training and simulation exercises and assistance in developing emergency plans. DIR indicated that the agency would need 2.0 additional FTEs to accomplish the provisions of the bill, estimated at $2.2 million for the 2018-19 biennium.

Based on agency responses and LBB staff analysis, it is assumed that other provisions of the bill would not have a significant fiscal impact and could be implemented within existing resources.

The bill would take effect September 1, 2017.

Local Government Impact

According to the Texas Association of Counties, this bill would have no fiscal impact to units of local government.

Source Agencies:
116 Sunset Advisory Commission, 304 Comptroller of Public Accounts, 300 Trusteed Programs Within the Office of the Governor, 313 Department of Information Resources, 320 Texas Workforce Commission, 529 Health and Human Services Commission, 601 Department of Transportation, 710 Texas A&M University System Administrative and General Offices
LBB Staff:
UP, CL, MMe, BRi