Austin, Texas
April 14, 2017

Honorable Gary Elkins, Chair, House Committee on Government Transparency & Operation
Ursula Parks, Director, Legislative Budget Board
HB8 by Capriglione (Relating to cybersecurity for state agency information resources.), Committee Report 1st House, Substituted

The statewide fiscal implications of the bill cannot be determined at this time, but is expected to result in a cost to the State. These costs primarily relate to provisions that would require agencies to contract with an independent third party to perform a risk assessment every five years and periodic vulnerability and penetration tests before deploying certain website or mobile applications.

The bill sets forth certain requirements all agencies would be required to follow relating to cybersecurity. Statewide costs cannot be determined because the impact would be contingent on factors such as an agency's existing information technology infrastructure, current practices, and the number of full-time equivalent (FTE) positions currently supporting related services. Some agencies such as Texas A&M University and the Texas Department of Transportation (TxDOT) estimate an indeterminate but significant cost would be incurred to comply with the requirements of the bill. The University of Texas System Administration reported a cumulative cost of $6.0 million in General Revenue Funds, $1.4 million in Available University Funds and an additional 13.2 FTEs would be required in the 2018-19 biennium to accomplish the provisions of the bill.

The bill also sets forth requirements that would only be applicable to certain agencies. The Sunset Advisory Commission would be required to assess agency cybersecurity practices as part of their reviews, which the Commission estimates would cost $229,890 in General Revenue Funds during the 2018-19 biennium, including 1.0 additional FTE to provide relevant subject matter expertise. Requirements that would apply to the Department of Public Safety (DPS) and Department of Information Resources (DIR) are noted below. Based on LBB staff analysis, the cumulative impact to DPS would be a cost of $6.1 million in General Revenue Funds, including an additional 3.0 FTEs, and certain requirements would have significant yet indeterminate costs. No significant fiscal impact is assumed for DIR to accomplish the bill's requirements of them specifically.

The bill would require DPS to develop a plan to address cybersecurity risks and incidents in the state, and authorizes an agreement with a national organization to support DPS' efforts in implementing components for which the agency lacks resources to address internally. This may include provisions such as providing state agencies training and simulation exercises and assistance in developing emergency plans. Based on LBB staff analysis, DPS would require 3.0 additional FTEs to accomplish these provisions at a cost of approximately $0.7 million in General Revenue Funds for the 2018-19 biennium., This analysis assumes DPS would provide fee reimbursement for appropriate industry-recognized certification examinations under the agreement. According to DPS staff, this would cost an additional $5.2 million in General Revenue Funds, assuming $20 per certification for 260,000 responders.

The bill would require DIR to provide mandatory guidelines for all state agency information resources employees regarding continuing education for cybersecurity training and certification. The fiscal impact of continuing education would depend on the training requirements developed by DIR. Agencies such as Trusteed Programs within the Office of the Governor (Trusteed Programs) and the Health and Human Services Commission reported costs associated with ongoing training requirements could be absorbed within existing resources. The Texas Workforce Commission reported 272 FTEs perform IT-related projects and training these staff is estimated to cost $791,384 in General Revenue Funds for the 2018-19 biennium. It is assumed that training and certification requirements and associated costs would continue in subsequent biennia.

The bill would require each state agency to contract at least every five years with an independent third party to conduct and submit to DIR a risk assessment of exposure to security risks. The fiscal impact of this provision would depend on DIR's certification of contractors and the scope and requirements DIR develops for the risk assessment. Agencies provided a variety of estimates regarding potential costs for these risk assessments. Trusteed Programs estimated a cost of $50,000 in General Revenue Funds per assessment and the University of Texas System estimated costs of $150,000 to $350,000 per institution. It is assumed these costs would repeat in subsequent five-year periods.

The bill would also require that each state agency (other than an institution higher education) website or mobile application processing any personally identifiable or confidential information undergo a vulnerability and penetration test conducted by an independent third party. The Comptroller of Public Accounts estimated third party contracting costs would be $750,000 per year and require 1.0 additional FTE for the agency's approximately 88 website applications processing confidential taxpayer information.

DIR indicated it could extend its risk assessment programs to include all agencies and institutions of higher education. If agencies or institutions were to use DIR to accomplish the provisions of the bill related to third party testing requirements, DIR reports that third party costs for up to 48 tests per year could be absorbed under their current contract model. DIR estimates a potential cost of $4.0 million in the biennium were agencies to choose to use a standardized framework developed by DIR for both risk assessment and testing requirements, and assumes this would include 20 new vulnerability tests per year at a cost of $10,000 per test.

The bill would require a state agency to destroy or arrange for the destruction of information that alone or in conjunction with other information presents a cybersecurity risk and alone or in conjunction with other information identifies an individual, if retention of the information is not required under law or for other legal reasons. The cost of this would vary based on how much personally identifiable information an agency retains and what related activities an agency currently undertakes. DIR indicated this could be absorbed within existing resources, the Texas Medical Board estimated this would cost $50,000 in fiscal year 2019 and DPS stated the costs related to Intelligence and Counterterrorism Division and Homeland Security responsibilities would be significant but cannot be determined.

Based on agency responses and LBB staff analysis, it is assumed that other provisions of the billwould not have a significant fiscal impact and could be implemented within existing resources.

The bill would take effect September 1, 2017.

Local Government Impact

No fiscal implication to units of local government is anticipated.

Source Agencies:
306 Library & Archives Commission, 307 Secretary of State, 710 Texas A&M University System Administrative and General Offices, 781 Higher Education Coordinating Board, 116 Sunset Advisory Commission, 300 Trusteed Programs Within the Office of the Governor, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 323 Teacher Retirement System, 405 Department of Public Safety, 503 Texas Medical Board, 515 Board of Pharmacy, 529 Health and Human Services Commission, 578 Board of Veterinary Medical Examiners, 601 Department of Transportation, 701 Texas Education Agency, 720 The University of Texas System Administration
LBB Staff: