This website will be unavailable from Thursday, May 30, 2024 at 6:00 p.m. through Monday, June 3, 2024 at 7:00 a.m. due to data center maintenance.


Amend CSHB 4214 (house committee printing) as follows:
(1)  Strike page 11, lines 8-10, and substitute the following:
SECTION 13.  Subchapter N-1, Chapter 2054, Government Code, is amended by adding Sections 2054.5155, 2054.5172, 2054.519, 2054.5191, 2054.5192, 2054.5193, 2054.5194, and 2054.5195 to read as follows:
(2)  On page 12, between lines 12 and 13, insert the following:
Sec. 2054.5172.  CYBER RANGE. (a) In this section, "cyber range" means a virtual environment used for interactive training in the defense against and response to cyberwarfare and other cybersecurity incidents.
(b)  The department may create a cyber range for use by public sector employees with responsibility for cybersecurity to improve this state's cybersecurity capabilities.
(3)  On page 14, between lines 26 and 27, insert the following:
Sec. 2054.5193.  CYBERSECURITY RESOURCES PROGRAM FOR STATE AGENCIES. (a) The department may establish a program that provides to state agencies the use of information security officers and other cybersecurity resources to assist in managing the agencies' information security.
(b)  The department shall adopt rules to implement this section.
Sec. 2054.5194.  CYBERSECURITY INSURANCE. (a) The State Office of Risk Management shall evaluate the feasibility of providing cybersecurity insurance policies to state agencies.
(b)  The State Office of Risk Management shall develop guidance for state agencies regarding cybersecurity insurance coverage. The guidance must:
(1)  be based on best practices for making cybersecurity insurance coverage decisions; and
(2)  assist a state agency in determining whether:
(A)  cybersecurity insurance coverage would be beneficial to the agency; and
(B)  the agency should purchase a cybersecurity insurance policy from a third party or self-insure.
(c)  The department shall review and consider the guidance developed under this section in connection with the department's protection of statewide technology centers.
Sec. 2054.5195.  BUG BOUNTY PROGRAM. (a) The department by rule may establish a bug bounty program, using money available for that purpose from legislative appropriations, to pay bounties to persons who uncover or resolve security flaws in state websites and applications.
(b)  The department may determine eligibility criteria for receiving a bounty under this section and the amount of a bounty to be paid under this section.
(c)  An employee of or contractor with a state agency is not eligible to receive a bounty under this section.
(d)  The payment of a bounty under this section does not affect a person's civil or criminal liability for prohibited conduct related to a state website or application.
(4)  Add the following appropriately numbered SECTIONS to the bill and renumber subsequent SECTIONS of the bill accordingly:
SECTION ____.  Section 552.139(b), Government Code, is amended to read as follows:
(b)  The following information is confidential:
(1)  a computer network vulnerability report;
(2)  any other assessment of the extent to which data processing operations, a computer, a computer program, network, system, or system interface, or software of a governmental body or of a contractor of a governmental body is vulnerable to unauthorized access or harm, including an assessment of the extent to which the governmental body's or contractor's electronically stored information containing sensitive or critical information is vulnerable to alteration, damage, erasure, or inappropriate use;
(3)  a photocopy or other copy of an identification badge issued to an official or employee of a governmental body; [and]
(4)  information directly arising from a governmental body's routine efforts to prevent, detect, investigate, or mitigate a computer security incident, including information contained in or derived from an information security log; and
(5)  information about a state agency's cybersecurity insurance coverage, including policy provisions and coverage limits.
SECTION ____.  Section 2054.1125, Government Code, is amended by adding Subsection (c) to read as follows:
(c)  Not later than the 10th business day after the date of the eradication of, closure of, and recovery from a breach, suspected breach, or unauthorized exposure, a state agency shall notify the department, including the chief information security officer, of the details of the event.
SECTION ____.  Section 2054.136, Government Code, is amended to read as follows:
Sec. 2054.136.  DESIGNATED INFORMATION SECURITY OFFICER; DUTIES. (a) In this section, "cloud computing service" has the meaning assigned by Section 2157.007.
(b)  Each state agency shall designate an information security officer who:
(1)  reports to the agency's executive-level management;
(2)  has authority over information security for the entire agency;
(3)  possesses the training and experience required to perform the duties required by department rules; and
(4)  to the extent feasible, has information security duties as the officer's primary duties.
(c)  A state agency's information security officer must authorize the purchase of cloud computing services before the agency may enter into a contract for those services.
SECTION ____.  Section 2054.136, Government Code, as amended by this Act, applies only to a contract for cloud computing services that is entered into on or after the effective date of this Act. A contract entered into before the effective date of this Act is governed by the law in effect on the date the contract was entered into, and the former law is continued in effect for that purpose.