This website will be unavailable from Thursday, May 30, 2024 at 6:00 p.m. through Monday, June 3, 2024 at 7:00 a.m. due to data center maintenance.
Amend CSHB 4214 (house committee report) as follows:
(1) On page 4, line 14, between "Resources" and the underlined comma, insert "and the Information Technology Council for Higher Education".
(2) On page 6, line 11, between "department" and "shall", insert ", in consultation with the Information Technology Council for Higher Education,".
(3) On page 7, strike lines 2-14, and substitute the following:
Sec. 2054.069. SECURITY GUIDANCE FOR INTERNET CONNECTIVITY OF CERTAIN OBJECTS. (a) The department, in consultation with representatives of the information technology industry, voluntary standards organizations, the 10 state agencies that received the most state appropriations for that state fiscal year as determined by the Legislative Budget Board, and the Information Technology Council for Higher Education, shall develop comprehensive risk management guidance that identifies baseline security features for the Internet connectivity of computing devices embedded in objects used or purchased by state agencies.
(b) In developing the guidance under Subsection (a), the department shall identify and use existing international security standards and best practices and any known security gaps for a range of deployments, including critical systems and consumer usage.
(4) On page 8, line 26, between "specified" and "security-related", insert "summary-level".
(5) On page 9, strike line 12, and substitute "The department, in consultation with the Information Technology Council for Higher Education, shall:".
(6) On page 9, line 17, between "a" and "statewide", insert "summary-level".
(7) On page 11, between lines 21 and 22, insert the following appropriately lettered subsection and reletter subsequent subsections and cross-references to those subsections accordingly:
(____) The department shall include at least one institution of higher education in the list of independent third parties under Subsection (a)(1).
(8) Strike page 16, line 27, through page 17, line 3, and substitute the following:
interest a written statement providing whether, at the time of submitting the bid, offer, proposal, or expression of interest, the vendor has actual knowledge of a confirmed security vulnerability or defect in the device's hardware, software, or firmware that would adversely affect the security of state data and is subject to an applicable notification law.
(c) If a security vulnerability or defect is identified by a vendor under Subsection (b), the contracting state agency may request additional information in order to assess:
(1) the potential impact of the vulnerability or defect on the agency's planned use of the device; and
(2) whether a security patch or other means of mitigation is currently available or expected within a specific period of time.
(9) Strike page 17, line 8, through page 18, line 5, and substitute the following:
SECTION 17. Section 2157.007, Government Code, is amended by amending Subsections (a) and (b) and adding Subsections (b-1), (b-2), and (f) to read as follows:
(a) In this section:
(1) "Cloud computing service" has the meaning assigned by Special Publication 800-145 issued by the United States Department of Commerce National Institute of Standards and Technology, as the definition existed on January 1, 2015.
(2) "Major information resources project" has the meaning assigned by Section 2054.003.
(b) Except as provided by Subsection (b-1), a [A] state agency shall ensure [consider cloud computing service options, including any security benefits and cost savings associated with purchasing those service options from a cloud computing service provider and from a statewide technology center established by the department], when making purchases for an automated information system or a major information resources project, that the system or project is capable of being deployed and run on cloud computing services [under Section 2054.118].
(b-1) When making a purchase for an automated information system or a major information resources project, a state agency may determine that, due to integration limitations with legacy systems, security risks, costs, or other relevant considerations, the agency is unable to purchase a system or project capable of being deployed and run on cloud computing services.
(b-2) At least 14 days before the date a state agency solicits bids, proposals, offers, or other applicable expressions of interest for a purchase described by Subsection (b-1), the agency shall submit to the Legislative Budget Board for the purchase of an automated information system or to the quality assurance team as defined by Section 2054.003 for the purchase of a major information resources project a report that describes the purchase and the agency's reasoning for making the purchase.
(f) The department shall periodically review guidelines on state agency information that may be stored by a cloud computing or other storage service and the cloud computing or other storage services available to state agencies for that storage to ensure that an agency purchasing a major information resources project selects the most affordable, secure, and efficient cloud computing or other storage service available to the agency. The guidelines must include appropriate privacy and security standards that, at a minimum, require a vendor who offers cloud computing or other storage services or other software, applications, online services, or information technology solutions to any state agency to demonstrate that data provided by the state to the vendor will be maintained in compliance with all applicable state and federal laws and rules.