| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to matters concerning governmental entities, including |
|
|
cybersecurity, governmental efficiencies, information resources, |
|
|
and emergency planning. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 37.108(b), Education Code, is amended to |
|
|
read as follows: |
|
|
(b) At least once every three years, each school district or |
|
|
public junior college district shall conduct a safety and security |
|
|
audit of the district's facilities, including an information |
|
|
technology cybersecurity assessment. To the extent possible, a |
|
|
district shall follow safety and security audit procedures |
|
|
developed by the Texas School Safety Center or a comparable public |
|
|
or private entity. |
|
|
SECTION 2. Subchapter C, Chapter 61, Education Code, is |
|
|
amended by adding Section 61.09092 to read as follows: |
|
|
Sec. 61.09092. COORDINATION OF CYBERSECURITY COURSEWORK |
|
|
DEVELOPMENT. (a) In this section, "lower-division institution of |
|
|
higher education" means a public junior college, public state |
|
|
college, or public technical institute. |
|
|
(b) The board, in consultation with the Department of |
|
|
Information Resources, shall coordinate with lower-division |
|
|
institutions of higher education and entities that administer or |
|
|
award postsecondary industry certifications or other workforce |
|
|
credentials in cybersecurity to develop certificate programs or |
|
|
other courses of instruction leading toward those certifications or |
|
|
credentials that may be offered by lower-division institutions of |
|
|
higher education. |
|
|
(c) The board may adopt rules as necessary for the |
|
|
administration of this section. |
|
|
SECTION 3. Subchapter F, Chapter 401, Government Code, is |
|
|
amended by adding Section 401.106 to read as follows: |
|
|
Sec. 401.106. CHIEF INNOVATION OFFICER. (a) The governor |
|
|
shall appoint a chief innovation officer. |
|
|
(b) The chief innovation officer shall: |
|
|
(1) develop procedures and processes to improve |
|
|
internal state government efficiency and performance; |
|
|
(2) develop methods to improve the experience of |
|
|
residents, businesses, and local governments in interacting with |
|
|
state government; |
|
|
(3) in cooperation with the Department of Information |
|
|
Resources, increase the use of technology by state agencies to |
|
|
improve services provided by the agencies and to reduce state |
|
|
expenses and inefficiencies; |
|
|
(4) provide state agency personnel with training in |
|
|
skills that support innovation; |
|
|
(5) provide state agency managers with training to |
|
|
support innovation and encourage creative thinking; and |
|
|
(6) develop and apply measures to document |
|
|
improvements in state government innovation and in employee skills |
|
|
that support innovation. |
|
|
(c) In performing the duties required under Subsection (b), |
|
|
the chief innovation officer shall: |
|
|
(1) use strategic innovation; |
|
|
(2) promote open innovation; |
|
|
(3) introduce and use group tools and processes that |
|
|
encourage creative thinking; and |
|
|
(4) conduct market research to determine the best |
|
|
practices for increasing innovation and implement those best |
|
|
practices. |
|
|
SECTION 4. Section 418.004(1), Government Code, is amended |
|
|
to read as follows: |
|
|
(1) "Disaster" means the occurrence or imminent threat |
|
|
of widespread or severe damage, injury, or loss of life or property |
|
|
resulting from any natural or man-made cause, including fire, |
|
|
flood, earthquake, wind, storm, wave action, oil spill or other |
|
|
water contamination, volcanic activity, epidemic, air |
|
|
contamination, blight, drought, infestation, explosion, riot, |
|
|
hostile military or paramilitary action, extreme heat, cyber |
|
|
attack, other public calamity requiring emergency action, or energy |
|
|
emergency. |
|
|
SECTION 5. Subchapter B, Chapter 421, Government Code, is |
|
|
amended by adding Section 421.027 to read as follows: |
|
|
Sec. 421.027. CYBER INCIDENT STUDY AND RESPONSE PLAN. (a) |
|
|
In this section: |
|
|
(1) "Cyber incident" means an event occurring on or |
|
|
conducted through a computer network that actually or imminently |
|
|
jeopardizes the integrity, confidentiality, or availability of |
|
|
computers, information or communications systems or networks, |
|
|
physical or virtual infrastructure controlled by computers or |
|
|
information systems, or information on the computers or systems. |
|
|
The term includes a vulnerability in implementation or in an |
|
|
information system, system security procedure, or internal control |
|
|
that could be exploited by a threat source. |
|
|
(2) "Significant cyber incident" means a cyber |
|
|
incident, or a group of related cyber incidents, likely to result in |
|
|
demonstrable harm to state security interests, foreign relations, |
|
|
or the economy of this state or to the public confidence, civil |
|
|
liberties, or public health and safety of the residents of this |
|
|
state. |
|
|
(b) The council, in cooperation with the Department of |
|
|
Information Resources and the Information Technology Council for |
|
|
Higher Education, shall: |
|
|
(1) conduct a study regarding cyber incidents and |
|
|
significant cyber incidents affecting state agencies and critical |
|
|
infrastructure that is owned, operated, or controlled by agencies; |
|
|
and |
|
|
(2) develop a comprehensive state response plan to |
|
|
provide a format for each state agency to develop an |
|
|
agency-specific response plan and to implement the plan into the |
|
|
agency's information security plan required under Section 2054.133 |
|
|
to be implemented by the agency in the event of a cyber incident or |
|
|
significant cyber incident affecting the agency or critical |
|
|
infrastructure that is owned, operated, or controlled by the |
|
|
agency. |
|
|
(c) Not later than September 1, 2020, the council shall |
|
|
deliver the response plan and a report on the findings of the study |
|
|
to: |
|
|
(1) the public safety director of the Department of |
|
|
Public Safety; |
|
|
(2) the governor; |
|
|
(3) the lieutenant governor; |
|
|
(4) the speaker of the house of representatives; |
|
|
(5) the chair of the committee of the senate having |
|
|
primary jurisdiction over homeland security matters; and |
|
|
(6) the chair of the committee of the house of |
|
|
representatives having primary jurisdiction over homeland security |
|
|
matters. |
|
|
(d) The response plan required by Subsection (b) and the |
|
|
report required by Subsection (c) are not public information for |
|
|
purposes of Chapter 552. |
|
|
(e) This section expires December 1, 2020. |
|
|
SECTION 6. Subchapter F, Chapter 437, Government Code, is |
|
|
amended by adding Section 437.255 to read as follows: |
|
|
Sec. 437.255. ASSISTING TEXAS STATE GUARD WITH CYBER |
|
|
OPERATIONS. To serve the state and safeguard the public from |
|
|
malicious cyber activity, the governor may command the Texas |
|
|
National Guard to assist the Texas State Guard with defending the |
|
|
state's cyber operations. |
|
|
SECTION 7. Subchapter C, Chapter 531, Government Code, is |
|
|
amended by adding Section 531.1051 to read as follows: |
|
|
Sec. 531.1051. TECHNOLOGY FOR ELIGIBILITY FRAUD |
|
|
PREVENTION. (a) The commission shall use technology to identify |
|
|
the risk for fraud associated with applications for health and |
|
|
human services program benefits to prevent fraud with respect to |
|
|
eligibility determinations for those programs. To the extent |
|
|
allowed by federal law, the commission shall set appropriate |
|
|
verification and documentation requirements based on the risk |
|
|
identified for particular applications to ensure that commission |
|
|
resources are appropriately targeted to maximize fraud reduction |
|
|
and accuracy of eligibility determinations. |
|
|
(b) Enhanced eligibility screening tools the commission |
|
|
implements for the purposes of this section must use technology |
|
|
that provides non-modeled employment and income verification data |
|
|
in an automated electronic format. |
|
|
SECTION 8. The heading to Section 656.047, Government Code, |
|
|
is amended to read as follows: |
|
|
Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION |
|
|
EXAMINATION EXPENSES. |
|
|
SECTION 9. Section 656.047, Government Code, is amended by |
|
|
adding Subsection (a-1) to read as follows: |
|
|
(a-1) A state agency may spend public funds as appropriate |
|
|
to reimburse a state agency employee or administrator who serves in |
|
|
an information technology, cybersecurity, or other cyber-related |
|
|
position for fees associated with industry-recognized |
|
|
certification examinations. |
|
|
SECTION 10. Chapter 2051, Government Code, is amended by |
|
|
adding Subchapter E to read as follows: |
|
|
SUBCHAPTER E. UNIFORM ELECTRONIC LEGAL MATERIAL ACT |
|
|
Sec. 2051.151. SHORT TITLE. This subchapter may be cited as |
|
|
the Uniform Electronic Legal Material Act. |
|
|
Sec. 2051.152. DEFINITIONS. In this subchapter: |
|
|
(1) "Electronic" means relating to technology having |
|
|
electrical, digital, magnetic, wireless, optical, electromagnetic, |
|
|
or similar capabilities. |
|
|
(2) "Legal material" means, whether or not in effect: |
|
|
(A) the constitution of this state; |
|
|
(B) the general or special laws passed in a |
|
|
regular or special session of the Texas Legislature; and |
|
|
(C) a state agency rule adopted in accordance |
|
|
with Chapter 2001. |
|
|
(3) "Official publisher" means: |
|
|
(A) for legal material described by Subdivision |
|
|
(2)(A), the Texas Legislative Council; and |
|
|
(B) for legal material described by Subdivision |
|
|
(2)(B) or (C), the secretary of state. |
|
|
(4) "Publish" means displaying, presenting, or |
|
|
releasing to the public, or causing to be displayed, presented, or |
|
|
released to the public, legal material by the official publisher. |
|
|
(5) "Record" means information that is inscribed on a |
|
|
tangible medium or that is stored in an electronic or other medium |
|
|
and is retrievable in perceivable form. |
|
|
Sec. 2051.153. APPLICABILITY. (a) This subchapter applies |
|
|
to all legal material in an electronic record that is: |
|
|
(1) designated as official by the official publisher |
|
|
under Section 2051.154; and |
|
|
(2) first published electronically by the official |
|
|
publisher on or after January 1, 2021. |
|
|
(b) The official publisher is not required to publish legal |
|
|
material on or before the date on which the legal material takes |
|
|
effect. |
|
|
Sec. 2051.154. LEGAL MATERIAL IN OFFICIAL ELECTRONIC |
|
|
RECORD. (a) If the official publisher publishes legal material |
|
|
only in an electronic record, the official publisher shall: |
|
|
(1) designate the electronic record as official; and |
|
|
(2) comply with Sections 2051.155, 2051.157, and |
|
|
2051.158. |
|
|
(b) If the official publisher publishes legal material in an |
|
|
electronic record and also publishes the material in a record other |
|
|
than an electronic record, the official publisher may designate the |
|
|
electronic record as official if the official publisher complies |
|
|
with Sections 2051.155, 2051.157, and 2051.158. |
|
|
Sec. 2051.155. AUTHENTICATION OF OFFICIAL ELECTRONIC |
|
|
RECORD. (a) If the official publisher designates an electronic |
|
|
record as official in accordance with Section 2051.154, the |
|
|
official publisher shall authenticate the record. |
|
|
(b) The official publisher authenticates an electronic |
|
|
record by providing a method with which a person viewing the |
|
|
electronic record is able to determine that the electronic record |
|
|
is unaltered from the official record published by the official |
|
|
publisher. |
|
|
Sec. 2051.156. EFFECT OF AUTHENTICATION. (a) Legal |
|
|
material in an electronic record that is authenticated as provided |
|
|
by Section 2051.155 is presumed to be an accurate copy of the legal |
|
|
material. |
|
|
(b) If another state has adopted a law that is substantially |
|
|
similar to this subchapter, legal material in an electronic record |
|
|
that is authenticated in that state is presumed to be an accurate |
|
|
copy of the legal material. |
|
|
(c) A party contesting the authenticity of legal material in |
|
|
an electronic record authenticated as provided by Section 2051.155 |
|
|
has the burden of proving by a preponderance of the evidence that |
|
|
the record is not authentic. |
|
|
Sec. 2051.157. PRESERVATION AND SECURITY OF LEGAL MATERIAL |
|
|
IN OFFICIAL ELECTRONIC RECORD. (a) The official publisher of legal |
|
|
material in an electronic record designated as official in |
|
|
accordance with Section 2051.154 shall provide for the preservation |
|
|
and security of the record in an electronic form or in a form that is |
|
|
not electronic. |
|
|
(b) If legal material is preserved under Subsection (a) in |
|
|
an electronic record, the official publisher shall: |
|
|
(1) ensure the integrity of the record; |
|
|
(2) provide for backup and disaster recovery of the |
|
|
record; and |
|
|
(3) ensure the continuing usability of the legal |
|
|
material in the record. |
|
|
Sec. 2051.158. PUBLIC ACCESS. The official publisher of |
|
|
legal material in an electronic record that is required to be |
|
|
preserved under Section 2051.157 shall ensure that the material is |
|
|
reasonably available for use by the public on a permanent basis. |
|
|
Sec. 2051.159. STANDARDS. In implementing this subchapter, |
|
|
the official publisher of legal material in an electronic record |
|
|
shall consider: |
|
|
(1) the standards and practices of other |
|
|
jurisdictions; |
|
|
(2) the most recent standards regarding |
|
|
authentication, preservation, and security of and public access to |
|
|
legal material in an electronic record and other electronic |
|
|
records, as adopted by national standard-setting bodies; |
|
|
(3) the needs of users of legal material in electronic |
|
|
records; |
|
|
(4) the views of governmental officials and entities |
|
|
and other interested persons; and |
|
|
(5) to the extent practicable, the methods and |
|
|
technologies for the authentication, preservation, and security of |
|
|
and public access to legal material that are compatible with the |
|
|
methods and technologies used by official publishers in other |
|
|
states that have adopted a law that is substantially similar to this |
|
|
subchapter. |
|
|
Sec. 2051.160. UNIFORMITY OF APPLICATION AND CONSTRUCTION. |
|
|
In applying and construing this subchapter, consideration must be |
|
|
given to the need to promote uniformity of the law with respect to |
|
|
the subject matter of this subchapter among states that enact a law |
|
|
similar to this subchapter. |
|
|
Sec. 2051.161. RELATION TO ELECTRONIC SIGNATURES IN GLOBAL |
|
|
AND NATIONAL COMMERCE ACT. This subchapter modifies, limits, and |
|
|
supersedes the federal Electronic Signatures in Global and National |
|
|
Commerce Act (15 U.S.C. Section 7001 et seq.) but does not modify, |
|
|
limit, or supersede Section 101(c) of that Act (15 U.S.C. Section |
|
|
7001(c)) or authorize electronic delivery of any of the notices |
|
|
described in Section 103(b) of that Act (15 U.S.C. Section |
|
|
7003(b)). |
|
|
SECTION 11. Section 2054.059, Government Code, is amended |
|
|
to read as follows: |
|
|
Sec. 2054.059. CYBERSECURITY. From available funds, the |
|
|
department, in consultation with the Information Technology |
|
|
Council for Higher Education, shall: |
|
|
(1) establish and administer a clearinghouse for |
|
|
information relating to all aspects of protecting the cybersecurity |
|
|
of state agency information; |
|
|
(2) develop strategies and a framework for: |
|
|
(A) the securing of cyberinfrastructure by state |
|
|
agencies, including critical infrastructure; and |
|
|
(B) cybersecurity risk assessment and mitigation |
|
|
planning; |
|
|
(3) develop and provide training to state agencies, |
|
|
including training for new employees of state agencies, on |
|
|
cybersecurity measures and awareness; |
|
|
(4) provide assistance to state agencies on request |
|
|
regarding the strategies and framework developed under Subdivision |
|
|
(2); and |
|
|
(5) promote public awareness of cybersecurity issues. |
|
|
SECTION 12. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.069 to read as follows: |
|
|
Sec. 2054.069. SECURITY GUIDANCE FOR INTERNET CONNECTIVITY |
|
|
OF CERTAIN OBJECTS. (a) The department, in consultation with |
|
|
representatives of the information technology industry, voluntary |
|
|
standards organizations, the 10 state agencies that received the |
|
|
most state appropriations for that state fiscal year as determined |
|
|
by the Legislative Budget Board, and the Information Technology |
|
|
Council for Higher Education, shall develop comprehensive risk |
|
|
management guidance that identifies baseline security features for |
|
|
the Internet connectivity of computing devices embedded in objects |
|
|
used or purchased by state agencies. |
|
|
(b) In developing the guidance under Subsection (a), the |
|
|
department shall identify and use existing international security |
|
|
standards and best practices and any known security gaps for a range |
|
|
of deployments, including critical systems and consumer usage. |
|
|
SECTION 13. Section 2054.1184, Government Code, is amended |
|
|
to read as follows: |
|
|
Sec. 2054.1184. ASSESSMENT OF MAJOR INFORMATION RESOURCES |
|
|
PROJECT. (a) A state agency proposing to spend appropriated funds |
|
|
for a major information resources project must first conduct an |
|
|
evidence-based execution capability assessment using a scoring |
|
|
method delivered by an independent third party to: |
|
|
(1) determine the agency's capability for implementing |
|
|
the project; |
|
|
(2) reduce the agency's financial risk in implementing |
|
|
the project; and |
|
|
(3) increase the probability of the agency's |
|
|
successful implementation of the project. |
|
|
(b) A state agency shall submit to the department, the |
|
|
quality assurance team established under Section 2054.158, and the |
|
|
Legislative Budget Board a detailed report that includes |
|
|
measurement and corrective actions for [identifies] the agency's |
|
|
operational and technical [organizational] strengths and any |
|
|
weaknesses that will be addressed before the agency initially |
|
|
spends appropriated funds for a major information resources |
|
|
project. |
|
|
(c) Based on project costs, risks, and technical |
|
|
difficulty, the department may require a [A] state agency to [may] |
|
|
contract with an independent third party to conduct the assessment |
|
|
under Subsection (a) and prepare the report described by Subsection |
|
|
(b). |
|
|
(d) The department may allow state agencies to purchase an |
|
|
execution capability assessment using the purchasing method |
|
|
described by Section 2157.068 for commodity items. |
|
|
SECTION 14. Subchapter F, Chapter 2054, Government Code, is |
|
|
amended by adding Sections 2054.137, 2054.138, and 2054.139 to read |
|
|
as follows: |
|
|
Sec. 2054.137. INFORMATION SECURITY CONTINUOUS MONITORING |
|
|
PROGRAM. (a) In this section: |
|
|
(1) "Common control" means a security control that is |
|
|
inherited by one or more information resources technologies. |
|
|
(2) "Program" means the information security |
|
|
continuous monitoring program described by this section. |
|
|
(b) Each state agency shall: |
|
|
(1) develop and maintain an information security |
|
|
continuous monitoring program that: |
|
|
(A) allows the agency to maintain ongoing |
|
|
awareness of the security and vulnerabilities of and threats to the |
|
|
agency's information resources; |
|
|
(B) provides a clear understanding of |
|
|
organizational risk and helps the agency set priorities and manage |
|
|
the risk consistently; |
|
|
(C) addresses how the agency conducts ongoing |
|
|
authorizations of information resources technologies and the |
|
|
environments in which those technologies operate, including the |
|
|
agency's use of common controls; |
|
|
(D) aligns with the continuous monitoring |
|
|
guidance, cybersecurity framework, and risk management framework |
|
|
published in Special Publications 800-137 and 800-53 by the United |
|
|
States Department of Commerce National Institute of Standards and |
|
|
Technology; |
|
|
(E) addresses critical security controls, |
|
|
including hardware asset management, software asset management, |
|
|
configuration management, and vulnerability management; and |
|
|
(F) requires the integration of cybersecurity |
|
|
products; |
|
|
(2) establish a strategy and plan to implement a |
|
|
program for the agency; |
|
|
(3) to the extent practicable, establish information |
|
|
security continuous monitoring as an agency-wide solution and |
|
|
deploy enterprise information security continuous monitoring |
|
|
products and services; |
|
|
(4) submit specified summary-level security-related |
|
|
information to the dashboard established under Subsection (c)(3); |
|
|
(5) evaluate and upgrade information resources |
|
|
technologies and deploy new products, including agency and |
|
|
component information security continuous monitoring dashboards, |
|
|
as necessary to support information security continuous monitoring |
|
|
and the need to submit security-related information requested by |
|
|
the department; |
|
|
(6) require that external service providers hosting |
|
|
state information meet state information security requirements for |
|
|
information security continuous monitoring; and |
|
|
(7) ensure the agency has adequate staff with the |
|
|
necessary training to meet the objectives of the program. |
|
|
(c) The department, in consultation with the Information |
|
|
Technology Council for Higher Education, shall: |
|
|
(1) oversee the implementation of this section by each |
|
|
state agency; |
|
|
(2) monitor and assist each state agency in |
|
|
implementation of a program and related strategies; and |
|
|
(3) establish a summary-level statewide dashboard for |
|
|
information security continuous monitoring that provides: |
|
|
(A) a government-wide view of information |
|
|
security continuous monitoring; and |
|
|
(B) technical specifications and guidance for |
|
|
state agencies on the requirements for submitting information for |
|
|
purposes of the dashboard. |
|
|
Sec. 2054.138. CYBERSECURITY THREAT SIMULATION EXERCISES. |
|
|
(a) In this section, "executive staff" means the management or |
|
|
senior level staff members of a state agency who directly report to |
|
|
the executive head of a state agency. |
|
|
(b) The executive head of a state agency and members of the |
|
|
executive staff may participate in cybersecurity threat simulation |
|
|
exercises with the agency's information resources technologies |
|
|
employees to test the cybersecurity capabilities of the agency. |
|
|
Sec. 2054.139. CYBERSECURITY TRAINING FOR NEW EMPLOYEES. |
|
|
Not later than the 30th day after the date on which a new employee |
|
|
begins employment with a state agency, the employee shall complete |
|
|
the cybersecurity training developed by the department under |
|
|
Section 2054.059. |
|
|
SECTION 15. Section 2054.512(d), Government Code, is |
|
|
amended to read as follows: |
|
|
(d) The cybersecurity council shall: |
|
|
(1) consider the costs and benefits of establishing a |
|
|
computer emergency readiness team to address cyber attacks |
|
|
occurring in this state during routine and emergency situations; |
|
|
(2) establish criteria and priorities for addressing |
|
|
cybersecurity threats to critical state installations; |
|
|
(3) consolidate and synthesize best practices to |
|
|
assist state agencies in understanding and implementing |
|
|
cybersecurity measures that are most beneficial to this state; |
|
|
[and] |
|
|
(4) assess the knowledge, skills, and capabilities of |
|
|
the existing information technology and cybersecurity workforce to |
|
|
mitigate and respond to cyber threats and develop recommendations |
|
|
for addressing immediate workforce deficiencies and ensuring a |
|
|
long-term pool of qualified applicants; and |
|
|
(5) ensure all middle and high schools have knowledge |
|
|
of and access to: |
|
|
(A) free cybersecurity courses and curriculum |
|
|
approved by the Texas Education Agency; |
|
|
(B) state and regional information sharing and |
|
|
analysis centers; and |
|
|
(C) contracting benefits, including as provided |
|
|
by Section 2054.0565. |
|
|
SECTION 16. Subchapter N-1, Chapter 2054, Government Code, |
|
|
is amended by adding Sections 2054.5155, 2054.519, 2054.5191, and |
|
|
2054.5192 to read as follows: |
|
|
Sec. 2054.5155. INDEPENDENT RISK ASSESSMENT. (a) At least |
|
|
once every five years, in accordance with department rules, each |
|
|
state agency shall: |
|
|
(1) contract with an independent third party selected |
|
|
from a list provided by the department to conduct an independent |
|
|
risk assessment of the agency's exposure to security risks in the |
|
|
agency's information resources systems and to conduct tests to |
|
|
practice securing systems and notifying all affected parties in the |
|
|
event of a data breach; and |
|
|
(2) submit the results of the independent risk |
|
|
assessment to the department. |
|
|
(b) The department shall include at least one institution of |
|
|
higher education in the list of independent third parties under |
|
|
Subsection (a)(1). |
|
|
(c) The department annually shall compile the results of the |
|
|
independent risk assessments conducted in the preceding year and |
|
|
prepare: |
|
|
(1) a public report on the general security issues |
|
|
covered by the assessments that does not contain any information |
|
|
the release of which may compromise any state agency's information |
|
|
resources system; and |
|
|
(2) a confidential report on specific risks and |
|
|
vulnerabilities that is exempt from disclosure under Chapter 552. |
|
|
(d) The department annually shall submit to the legislature |
|
|
a comprehensive report on the results of the independent risk |
|
|
assessments conducted under Subsection (a) during the preceding |
|
|
year that includes the report prepared under Subsection (c)(1) and |
|
|
that identifies systematic or pervasive security risk |
|
|
vulnerabilities across state agencies and recommendations for |
|
|
addressing the vulnerabilities but does not contain any information |
|
|
the release of which may compromise any state agency's information |
|
|
resources system. |
|
|
Sec. 2054.519. VENDOR RESPONSIBILITY FOR CYBERSECURITY. A |
|
|
vendor that contracts with this state to provide information |
|
|
resources technology for a state agency at a cost to the agency of |
|
|
$1 million or more is responsible for addressing known |
|
|
cybersecurity risks associated with the technology and is |
|
|
responsible for any cost associated with addressing the identified |
|
|
cybersecurity risks. For a major information resources project, |
|
|
the vendor shall provide to state agency contracting personnel: |
|
|
(1) a written attestation that: |
|
|
(A) the vendor has a cybersecurity risk |
|
|
management program consistent with: |
|
|
(i) the cybersecurity framework |
|
|
established by the National Institute of Standards and Technology; |
|
|
(ii) the 27000 series standards for |
|
|
information security published by the International Organization |
|
|
for Standardization; or |
|
|
(iii) other widely accepted security risk |
|
|
management frameworks; |
|
|
(B) the vendor's cybersecurity risk management |
|
|
program includes appropriate training and certifications for the |
|
|
employees performing work under the contract; and |
|
|
(C) the vendor has a vulnerability management |
|
|
program that addresses vulnerability identification, mitigation, |
|
|
and responsible disclosure, as appropriate; and |
|
|
(2) an initial summary of any costs associated with |
|
|
addressing or remediating the identified technology or |
|
|
personnel-related cybersecurity risks as identified in |
|
|
collaboration with this state following a risk assessment. |
|
|
Sec. 2054.5191. CYBERSTAR PROGRAM; CERTIFICATE OF |
|
|
APPROVAL. (a) The state cybersecurity coordinator, in |
|
|
collaboration with the cybersecurity council and public and private |
|
|
entities in this state, shall develop best practices for |
|
|
cybersecurity that include: |
|
|
(1) measureable, flexible, and voluntary |
|
|
cybersecurity risk management programs for public and private |
|
|
entities to adopt to prepare for and respond to cyber incidents that |
|
|
compromise the confidentiality, integrity, and availability of the |
|
|
entities' information systems; |
|
|
(2) appropriate training and information for |
|
|
employees or other individuals who are most responsible for |
|
|
maintaining security of the entities' information systems; |
|
|
(3) consistency with: |
|
|
(A) for a municipality or county, the multihazard |
|
|
emergency operations plan and the safety and security audit |
|
|
required under Section 364.0101, Local Government Code; and |
|
|
(B) the National Institute of Standards and |
|
|
Technology standards for cybersecurity; |
|
|
(4) public service announcements to encourage |
|
|
cybersecurity awareness; and |
|
|
(5) coordination with local and state governmental |
|
|
entities. |
|
|
(b) The state cybersecurity coordinator shall establish a |
|
|
cyberstar certificate program to recognize public and private |
|
|
entities that implement the best practices for cybersecurity |
|
|
developed in accordance with Subsection (a). The program must |
|
|
allow a public or private entity to submit to the department a form |
|
|
certifying that the entity has complied with the best practices and |
|
|
the department to issue a certificate of approval to the entity. |
|
|
The entity may include the certificate of approval in |
|
|
advertisements and other public communications. |
|
|
(c) The state cybersecurity coordinator shall conduct an |
|
|
annual public event to promote best practices for cybersecurity. |
|
|
Sec. 2054.5192. ENCRYPTED SECURE LAYER SERVICES REQUIRED. |
|
|
Each state agency that maintains a publicly accessible Internet |
|
|
website that requires the submission of sensitive personally |
|
|
identifiable information shall use an encrypted secure |
|
|
communication protocol, including a secure hypertext transfer |
|
|
protocol. |
|
|
SECTION 17. Subchapter Q, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.577 to read as follows: |
|
|
Sec. 2054.577. TEXAS INNOVATION FUND AND STATE AGENCY |
|
|
TECHNOLOGY UPGRADES ACCOUNT. (a) In this section: |
|
|
(1) "Account" means the state agency technology |
|
|
upgrades account. |
|
|
(2) "Board" means the Texas innovation fund board. |
|
|
(3) "Cloud computing service" has the meaning assigned |
|
|
by Section 2157.007. |
|
|
(4) "Device-as-a-service" means a managed service in |
|
|
which hardware that belongs to a managed service provider is |
|
|
installed at a state agency and a service level agreement defines |
|
|
the responsibilities of each party to the agreement. |
|
|
(5) "Fund" means the Texas innovation fund. |
|
|
(6) "Information technology system" means any |
|
|
equipment or interconnected system or subsystem of equipment used |
|
|
by a state agency, or a person under a contract with a state agency |
|
|
if the contract requires use of the equipment, to acquire, store, |
|
|
analyze, evaluate, manipulate, manage, move, control, display, |
|
|
switch, interchange, transmit, print, copy, scan, or receive data |
|
|
or other information. The term: |
|
|
(A) includes a computer, a device-as-a-service |
|
|
solution, ancillary computer equipment such as imaging, printing, |
|
|
scanning, and copying peripherals and input, output, and storage |
|
|
devices necessary for security and surveillance, peripheral |
|
|
equipment designed to be controlled by the central processing unit |
|
|
of a computer, software and firmware and similar procedures, and |
|
|
services, including support services, and related resources; and |
|
|
(B) does not include equipment acquired by a |
|
|
contractor incidental to a state contract. |
|
|
(7) "Legacy information technology system" means an |
|
|
information technology system that is operated with obsolete or |
|
|
inefficient hardware or software technology. |
|
|
(8) "Qualifying information technology modernization |
|
|
project" means a project by a state agency to: |
|
|
(A) replace the agency's information technology |
|
|
systems; |
|
|
(B) transition the agency's legacy information |
|
|
technology systems to a cloud computing service or other innovative |
|
|
commercial platform or technology; or |
|
|
(C) develop and implement a method to provide |
|
|
adequate, risk-based, and cost-effective information technology |
|
|
responses to threats to the agency's information security. |
|
|
(9) "State agency" has the meaning assigned by Section |
|
|
2254.151, notwithstanding Section 2054.003. |
|
|
(b) The Texas innovation fund board is established to |
|
|
administer the Texas innovation fund and the state agency |
|
|
technology upgrades account and to make awards of financial |
|
|
assistance to state agencies from the fund or account for |
|
|
qualifying information technology modernization projects. The |
|
|
board is composed of: |
|
|
(1) one member who is a representative of the |
|
|
department, appointed by the presiding officer of the governing |
|
|
board of the department; |
|
|
(2) one member who is a representative of the office of |
|
|
the governor, appointed by the governor; |
|
|
(3) two members of the senate, appointed by the |
|
|
lieutenant governor; |
|
|
(4) two members of the house of representatives, |
|
|
appointed by the presiding officer of the governing board of the |
|
|
department from a list provided by the speaker of the house of |
|
|
representatives; and |
|
|
(5) one public member, appointed by the governor. |
|
|
(c) Members of the board serve staggered six-year terms. A |
|
|
board member is not entitled to compensation for service on the |
|
|
board but is entitled to reimbursement of expenses incurred while |
|
|
performing duties as a board member. |
|
|
(d) The Texas innovation fund and the state agency |
|
|
technology upgrades account are special funds outside the state |
|
|
treasury to be used by the board, without further legislative |
|
|
appropriation, as provided by this section. |
|
|
(e) The fund consists of: |
|
|
(1) money appropriated, credited, or transferred to |
|
|
the fund by the legislature; |
|
|
(2) money received by the board for the repayment of a |
|
|
loan made from the fund; and |
|
|
(3) interest and other earnings earned on deposits and |
|
|
investments of money in the fund. |
|
|
(f) The account consists of: |
|
|
(1) money deposited to the account by the comptroller |
|
|
in the manner prescribed by Subsection (h); and |
|
|
(2) interest and other earnings earned on deposits and |
|
|
investments of money in the account. |
|
|
(g) The department by rule shall establish a loan program to |
|
|
authorize the board to use money from the fund to provide loans to |
|
|
state agencies for qualifying information technology modernization |
|
|
projects. A state agency must apply to the board for a loan from the |
|
|
fund. The application must include a description of the qualifying |
|
|
information technology modernization project for which the state |
|
|
agency is requesting a loan. A loan agreement entered into under |
|
|
this subsection must require the state agency to: |
|
|
(1) repay the loan to the board within seven years of |
|
|
the date the loan is made to the agency; and |
|
|
(2) make annual reports to the board identifying cost |
|
|
savings realized by the agency as a result of the project for which |
|
|
the agency received the loan. |
|
|
(h) At the end of each state fiscal year, on the written |
|
|
request of a state agency, the comptroller shall deposit to the |
|
|
account the unexpended balance of any money appropriated to the |
|
|
agency for that state fiscal year that is budgeted by the agency for |
|
|
information technology services or cybersecurity purposes. A state |
|
|
agency may request money from the account from the board at any time |
|
|
for a qualifying information technology modernization project. |
|
|
This subsection does not apply to the unexpended balance of any |
|
|
money appropriated to a state agency from federal funds or from a |
|
|
fund created by the constitution of this state. |
|
|
(i) The comptroller shall separately account for the amount |
|
|
of money deposited to the account at the request of each state |
|
|
agency under Subsection (h). Money deposited to the account under |
|
|
Subsection (h) and any interest and other earnings on that money may |
|
|
be provided only to the state agency for which the comptroller |
|
|
deposited the money to the account and may be used by the agency |
|
|
only for a qualifying information technology modernization |
|
|
project. |
|
|
(j) Any money deposited to the account at the request of a |
|
|
state agency under Subsection (h) that is not requested by the |
|
|
agency within two years from the date the money is deposited shall |
|
|
be transferred by the comptroller to the general revenue fund to be |
|
|
used in accordance with legislative appropriation. |
|
|
(k) A state agency that receives money from the fund or the |
|
|
account may collaborate with one or more other state agencies that |
|
|
also receive money from the fund or the account to purchase |
|
|
information technology systems that may be shared between the |
|
|
agencies. |
|
|
(l) The department and the comptroller may adopt rules to |
|
|
implement and administer this section. |
|
|
SECTION 18. Chapter 2054, Government Code, is amended by |
|
|
adding Subchapter R to read as follows: |
|
|
SUBCHAPTER R. INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES |
|
|
Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each |
|
|
state agency and local government shall, in the administration of |
|
|
the agency or local government, consider using next generation |
|
|
technologies, including cryptocurrency, blockchain technology, and |
|
|
artificial intelligence. |
|
|
Sec. 2054.602. LIABILITY EXEMPTION. A person who in good |
|
|
faith discloses to a state agency or other governmental entity |
|
|
information regarding a potential security issue with respect to |
|
|
the agency's or entity's information resources technologies is not |
|
|
liable for any civil damages resulting from disclosing the |
|
|
information unless the person stole, retained, or sold any data |
|
|
obtained as a result of the security issue. |
|
|
Sec. 2054.603. MATCHING GRANTS FOR LOCAL CYBERSECURITY |
|
|
PROJECTS. (a) In this section, "local governmental entity" means a |
|
|
political subdivision of the state, including a: |
|
|
(1) county; |
|
|
(2) municipality; |
|
|
(3) public school district; or |
|
|
(4) special-purpose district or authority. |
|
|
(b) Using available funds, the governor shall establish and |
|
|
administer a cybersecurity matching grant program to award grants |
|
|
to local governmental entities to defray the costs of cybersecurity |
|
|
projects. |
|
|
(c) A local governmental entity that applies to the office |
|
|
of the governor for a matching grant under this section must |
|
|
identify the source and amount of the local governmental entity's |
|
|
matching funds. If the office approves a grant application, the |
|
|
office shall award to the local governmental entity a grant amount |
|
|
equal to 150 percent of the amount committed by the entity. |
|
|
(d) The office may set a deadline for grant applications for |
|
|
each state fiscal year. |
|
|
(e) The governor shall adopt rules to implement the grant |
|
|
program created under this section. |
|
|
Sec. 2054.604. CYBERSECURITY THREAT ASSESSMENT. The |
|
|
department shall develop a cybersecurity threat assessment for |
|
|
local governments that provides best practices for preventing |
|
|
cybersecurity attacks. |
|
|
Sec. 2054.605. REPOSITORY FOR CYBERSECURITY EDUCATION AND |
|
|
TRAINING. The department, in conjunction with institutions of |
|
|
higher education as defined by Section 61.003, Education Code, |
|
|
shall maintain and promote a centralized repository of information |
|
|
on cybersecurity education and training that is available to any |
|
|
governmental entity in this state. |
|
|
SECTION 19. Subchapter B, Chapter 2155, Government Code, is |
|
|
amended by adding Section 2155.092 to read as follows: |
|
|
Sec. 2155.092. VENDOR STATEMENT FOR CERTAIN GOODS. (a) |
|
|
This section does not apply to a good provided as part of a major |
|
|
information resources project as defined by Section 2054.003. |
|
|
(b) A vendor offering to sell to the state a good embedded |
|
|
with a computing device capable of Internet connectivity must |
|
|
include with each bid, offer, proposal, or other expression of |
|
|
interest a written statement providing whether, at the time of |
|
|
submitting the bid, offer, proposal, or expression of interest, the |
|
|
vendor has actual knowledge of a confirmed security vulnerability |
|
|
or defect in the device's hardware, software, or firmware that |
|
|
would adversely affect the security of state data and is subject to |
|
|
an applicable notification law. |
|
|
(c) If a security vulnerability or defect is identified by a |
|
|
vendor under Subsection (b), the contracting state agency may |
|
|
request additional information in order to assess: |
|
|
(1) the potential impact of the vulnerability or |
|
|
defect on the agency's planned use of the device; and |
|
|
(2) whether a security patch or other means of |
|
|
mitigation is currently available or expected within a specific |
|
|
period of time. |
|
|
SECTION 20. The heading to Section 2157.007, Government |
|
|
Code, is amended to read as follows: |
|
|
Sec. 2157.007. [CONSIDERATION OF] CLOUD COMPUTING SERVICE |
|
|
[PURCHASE]. |
|
|
SECTION 21. Section 2157.007, Government Code, is amended |
|
|
by amending Subsections (a) and (b) and adding Subsections (b-1), |
|
|
(b-2), and (f) to read as follows: |
|
|
(a) In this section: |
|
|
(1) "Cloud computing service" has the meaning assigned |
|
|
by Special Publication 800-145 issued by the United States |
|
|
Department of Commerce National Institute of Standards and |
|
|
Technology, as the definition existed on January 1, 2015. |
|
|
(2) "Major information resources project" has the |
|
|
meaning assigned by Section 2054.003. |
|
|
(b) Except as provided by Subsection (b-1), a [A] state |
|
|
agency shall ensure [consider cloud computing service options,
|
|
|
including any security benefits and cost savings associated with
|
|
|
purchasing those service options from a cloud computing service
|
|
|
provider and from a statewide technology center established by the
|
|
|
department], when making purchases for an automated information |
|
|
system or a major information resources project, that the system or |
|
|
project is capable of being deployed and run on cloud computing |
|
|
services [under Section 2054.118]. |
|
|
(b-1) When making a purchase for an automated information |
|
|
system or a major information resources project, a state agency may |
|
|
determine that, due to integration limitations with legacy systems, |
|
|
security risks, costs, or other relevant considerations, the agency |
|
|
is unable to purchase a system or project capable of being deployed |
|
|
and run on cloud computing services. |
|
|
(b-2) At least 14 days before the date a state agency |
|
|
solicits bids, proposals, offers, or other applicable expressions |
|
|
of interest for a purchase described by Subsection (b-1), the |
|
|
agency shall submit to the Legislative Budget Board for the |
|
|
purchase of an automated information system or to the quality |
|
|
assurance team as defined by Section 2054.003 for the purchase of a |
|
|
major information resources project a report that describes the |
|
|
purchase and the agency's reasoning for making the purchase. |
|
|
(f) The department shall periodically review guidelines on |
|
|
state agency information that may be stored by a cloud computing or |
|
|
other storage service and the cloud computing or other storage |
|
|
services available to state agencies for that storage to ensure |
|
|
that an agency purchasing a major information resources project |
|
|
selects the most affordable, secure, and efficient cloud computing |
|
|
or other storage service available to the agency. The guidelines |
|
|
must include appropriate privacy and security standards that, at a |
|
|
minimum, require a vendor who offers cloud computing or other |
|
|
storage services or other software, applications, online services, |
|
|
or information technology solutions to any state agency to |
|
|
demonstrate that data provided by the state to the vendor will be |
|
|
maintained in compliance with all applicable state and federal laws |
|
|
and rules. |
|
|
SECTION 22. Section 205.010(b), Local Government Code, is |
|
|
amended to read as follows: |
|
|
(b) A local government that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information |
|
|
shall comply, in the event of a breach of system security, with the |
|
|
notification requirements of: |
|
|
(1) Section 364.0053; |
|
|
(2) Section 364.0102; and |
|
|
(3) Section 521.053, Business & Commerce Code, to the |
|
|
same extent as a person who conducts business in this state. |
|
|
SECTION 23. Subtitle C, Title 11, Local Government Code, is |
|
|
amended by adding Chapter 364 to read as follows: |
|
|
CHAPTER 364. LOCAL GOVERNMENT CYBERSECURITY AND EMERGENCY PLANNING |
|
|
AND RESPONSE |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 364.0001. DEFINITIONS. In this chapter: |
|
|
(1) "Breach of system security" has the meaning |
|
|
assigned by Section 521.053, Business & Commerce Code. |
|
|
(2) "Cybersecurity coordinator" means the state |
|
|
cybersecurity coordinator designated under Section 2054.511, |
|
|
Government Code. |
|
|
(3) "Cybersecurity council" means the council |
|
|
established by the cybersecurity coordinator under Section |
|
|
2054.512, Government Code. |
|
|
(4) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
SUBCHAPTER B. REGIONAL INFORMATION SHARING AND ANALYSIS CENTERS |
|
|
Sec. 364.0051. ESTABLISHMENT. (a) The cybersecurity |
|
|
coordinator shall provide for the establishment and operation of |
|
|
not more than 20 regional information sharing and analysis centers. |
|
|
(b) Regional information sharing and analysis centers shall |
|
|
be located throughout the state so that the boundaries for each |
|
|
center are coextensive with the regional education service centers |
|
|
established under Chapter 8, Education Code. |
|
|
Sec. 364.0052. MEMBERSHIP. Each municipality with a |
|
|
population of more than 25,000 shall join the regional information |
|
|
sharing and analysis center in which the municipality is |
|
|
predominantly located. Any other political subdivision may join |
|
|
the regional information sharing and analysis center in which the |
|
|
political subdivision is predominantly located. |
|
|
Sec. 364.0053. SECURITY BREACH NOTIFICATION. (a) Not |
|
|
later than 48 hours after a political subdivision discovers a |
|
|
breach or suspected breach of system security or an unauthorized |
|
|
exposure of sensitive personal information, the political |
|
|
subdivision shall notify the regional information sharing and |
|
|
analysis center of the breach. The notification must describe the |
|
|
breach, suspected breach, or unauthorized exposure. |
|
|
(b) A regional information sharing and analysis center |
|
|
shall report to the Department of Information Resources any breach |
|
|
of system security reported by a political subdivision in which the |
|
|
person responsible for the breach: |
|
|
(1) obtained or modified specific critical or |
|
|
sensitive personal information; |
|
|
(2) established access to the political subdivision's |
|
|
information systems or infrastructure; or |
|
|
(3) undermined, severely disrupted, or destroyed a |
|
|
core service, program, or function of the political subdivision, or |
|
|
placed the person in a position to do so in the future. |
|
|
Sec. 364.0054. RULEMAKING. The cybersecurity coordinator |
|
|
may adopt rules necessary to implement this subchapter. |
|
|
SUBCHAPTER C. EMERGENCY PLANNING AND RESPONSE |
|
|
Sec. 364.0101. MULTIHAZARD EMERGENCY OPERATIONS PLAN; |
|
|
SAFETY AND SECURITY AUDIT. (a) This section applies to a |
|
|
municipality or county with a population of more than 100,000. |
|
|
(b) Each municipality and county shall adopt and implement a |
|
|
multihazard emergency operations plan for use in the municipality's |
|
|
and county's facilities. The plan must address mitigation, |
|
|
preparedness, response, and recovery as determined by the |
|
|
cybersecurity council and the governor's office of homeland |
|
|
security. The plan must provide for: |
|
|
(1) municipal or county employee training in |
|
|
responding to an emergency; |
|
|
(2) measures to ensure coordination with the |
|
|
Department of State Health Services, Department of Information |
|
|
Resources, local emergency management agencies, law enforcement |
|
|
agencies, local health departments, and fire departments in the |
|
|
event of an emergency; and |
|
|
(3) the implementation of a safety and security audit |
|
|
as required by Subsection (c). |
|
|
(c) At least once every three years, each municipality and |
|
|
county shall conduct a safety and security audit of the |
|
|
municipality's or county's information technology infrastructure. |
|
|
To the extent possible, a municipality or county shall follow |
|
|
safety and security audit procedures developed by the cybersecurity |
|
|
council or a comparable public or private entity. |
|
|
(d) A municipality or county shall report the results of the |
|
|
safety and security audit conducted under Subsection (c): |
|
|
(1) to the municipality's or county's governing body; |
|
|
and |
|
|
(2) in the manner required by the cybersecurity |
|
|
council, to the cybersecurity council. |
|
|
(e) Except as provided by Subsection (f), any document or |
|
|
information collected, developed, or produced during a safety and |
|
|
security audit conducted under Subsection (c) is not subject to |
|
|
disclosure under Chapter 552, Government Code. |
|
|
(f) A document relating to a municipality's or county's |
|
|
multihazard emergency operations plan is subject to disclosure if |
|
|
the document enables a person to: |
|
|
(1) verify that the municipality or county has |
|
|
established a plan and determine the agencies involved in the |
|
|
development of the plan and the agencies coordinating with the |
|
|
municipality or county to respond to an emergency; |
|
|
(2) verify that the municipality's or county's plan |
|
|
was reviewed within the last 12 months and determine the specific |
|
|
review dates; |
|
|
(3) verify that the plan addresses the phases of |
|
|
emergency management under Subsection (b); |
|
|
(4) verify that municipal or county employees have |
|
|
been trained to respond to an emergency and determine the types of |
|
|
training, the number of employees trained, and the person |
|
|
conducting the training; |
|
|
(5) verify that the municipality or county has |
|
|
completed a safety and security audit under Subsection (c) and |
|
|
determine the date the audit was conducted, the person conducting |
|
|
the audit, and the date the municipality or county presented the |
|
|
results of the audit to the municipality's or county's governing |
|
|
body; and |
|
|
(6) verify that the municipality or county has |
|
|
addressed any recommendations by the municipality's or county's |
|
|
governing body for improvement of the plan and determine the |
|
|
municipality's or county's progress within the last 12 months. |
|
|
Sec. 364.0102. RANSOMWARE PAYMENT. (a) In this section, |
|
|
"ransomware" has the meaning assigned by Section 33.023, Penal |
|
|
Code. |
|
|
(b) Not later than 48 hours after the time a political |
|
|
subdivision makes a ransomware payment, the political subdivision |
|
|
shall notify the cybersecurity coordinator of the payment. |
|
|
SECTION 24. Section 2054.513, Government Code, is repealed. |
|
|
SECTION 25. The Department of Information Resources shall |
|
|
conduct a study on the types of objects embedded with computing |
|
|
devices that are connected to the Internet that are purchased |
|
|
through the department. The Department of Information Resources |
|
|
shall submit a report on the study to the legislature not later than |
|
|
December 31, 2020. |
|
|
SECTION 26. (a) The lieutenant governor shall establish a |
|
|
Senate Select Committee on Cybersecurity and the speaker of the |
|
|
house of representatives shall establish a House Select Committee |
|
|
on Cybersecurity to, jointly or separately, study: |
|
|
(1) cybersecurity in this state; |
|
|
(2) the information security plans of each state |
|
|
agency; |
|
|
(3) the risks and vulnerabilities of state agency |
|
|
cybersecurity; and |
|
|
(4) information technology procurement. |
|
|
(b) Not later than November 30, 2019: |
|
|
(1) the lieutenant governor shall appoint five |
|
|
senators to the Senate Select Committee on Cybersecurity, one of |
|
|
whom shall be designated as chair; and |
|
|
(2) the speaker of the house of representatives shall |
|
|
appoint five state representatives to the House Select Committee on |
|
|
Cybersecurity, one of whom shall be designated as chair. |
|
|
(c) The committees established under this section shall |
|
|
convene separately at the call of the chair of the respective |
|
|
committees, or jointly at the call of both chairs. In joint |
|
|
meetings, the chairs of each committee shall act as joint chairs. |
|
|
(d) Following consideration of the issues listed in |
|
|
Subsection (a) of this section, the committees established under |
|
|
this section shall jointly adopt recommendations on state |
|
|
cybersecurity and report in writing to the legislature any findings |
|
|
and adopted recommendations not later than January 12, 2021. |
|
|
(e) This section expires September 1, 2021. |
|
|
SECTION 27. As soon as practicable after the effective date |
|
|
of this Act, the governor shall appoint a chief innovation officer |
|
|
as required by Section 401.106, Government Code, as added by this |
|
|
Act. |
| |
|
|
SECTION 28. (a) An official publisher in the executive |
|
|
branch of state government shall comply with the applicable |
|
|
provisions of Subchapter E, Chapter 2051, Government Code, as added |
|
|
by this Act, in accordance with an implementation plan developed |
|
|
under Subsection (b) of this section. |
|
|
(b) The Texas State Library and Archives Commission and an |
|
|
official publisher in the executive branch of state government are |
|
|
jointly responsible for developing an implementation plan for the |
|
|
applicable provisions of Subchapter E, Chapter 2051, Government |
|
|
Code, as added by this Act. The implementation plan must: |
|
|
(1) for each applicable type of legal material defined |
|
|
by Subchapter E, Chapter 2051, Government Code, as added by this |
|
|
Act, advise as to the method by which the legal material may be |
|
|
authenticated, preserved, and made available on a permanent basis; |
|
|
and |
|
|
(2) establish a timeline for the official publisher to |
|
|
comply with Sections 2051.154, 2051.155, 2051.157, and 2051.158, |
|
|
Government Code, as added by this Act. |
|
|
(c) The implementation plan developed under Subsection (b) |
|
|
of this section may provide for compliance by an official publisher |
|
|
in the executive branch of state government with Sections 2051.154, |
|
|
2051.155, 2051.157, and 2051.158, Government Code, as added by this |
|
|
Act, to be phased in over a period of time. |
|
|
(d) The Texas State Library and Archives Commission shall |
|
|
provide the implementation plan developed under Subsection (b) of |
|
|
this section to the legislature not later than September 1, 2020. |
|
|
SECTION 29. (a) An official publisher in the legislative |
|
|
branch of state government shall comply with the applicable |
|
|
provisions of Subchapter E, Chapter 2051, Government Code, as added |
|
|
by this Act, in accordance with an implementation plan developed |
|
|
under Subsection (b) of this section. |
|
|
(b) An official publisher in the legislative branch of state |
|
|
government, in consultation with the lieutenant governor, the |
|
|
speaker of the house of representatives, the Senate Committee on |
|
|
Administration, and the House Committee on Administration, shall |
|
|
develop an implementation plan for the applicable provisions of |
|
|
Subchapter E, Chapter 2051, Government Code, as added by this Act. |
|
|
The implementation plan must: |
|
|
(1) for each applicable type of legal material defined |
|
|
by Subchapter E, Chapter 2051, Government Code, as added by this |
|
|
Act, recommend the method by which the legal material may be |
|
|
authenticated, preserved, and made available on a permanent basis; |
|
|
and |
|
|
(2) establish a timeline for the official publisher to |
|
|
comply with Sections 2051.154, 2051.155, 2051.157, and 2051.158, |
|
|
Government Code, as added by this Act. |
|
|
(c) The implementation plan developed under Subsection (b) |
|
|
of this section may provide for compliance by an official publisher |
|
|
in the legislative branch of state government with Sections |
|
|
2051.154, 2051.155, 2051.157, and 2051.158, Government Code, as |
|
|
added by this Act, to be phased in over a period of time. |
|
|
(d) An official publisher in the legislative branch of state |
|
|
government shall provide the implementation plan developed under |
|
|
Subsection (b) of this section to the lieutenant governor and |
|
|
speaker of the house of representatives not later than September 1, |
|
|
2020. |
|
|
SECTION 30. Section 2054.139, Government Code, as added by |
|
|
this Act, requiring a new employee of a state agency to complete |
|
|
cybersecurity training, applies only to an employee who begins |
|
|
employment on or after the effective date of this Act. |
|
|
SECTION 31. Section 2155.092, Government Code, as added by |
|
|
this Act, applies only in relation to a contract for which a state |
|
|
agency first advertises or otherwise solicits bids, offers, |
|
|
proposals, or other expressions of interest on or after the |
|
|
effective date of this Act. |
|
|
SECTION 32. Section 2157.007, Government Code, as amended |
|
|
by this Act, applies only with respect to a purchase made by a state |
|
|
agency on or after the effective date of this Act. A purchase made |
|
|
before the effective date of this Act is governed by the law in |
|
|
effect on the date the purchase was made, and the former law is |
|
|
continued in effect for that purpose. |
|
|
SECTION 33. If before implementing any provision of this |
|
|
Act a state agency determines that a waiver or authorization from a |
|
|
federal agency is necessary for implementation of that provision, |
|
|
the agency affected by the provision shall request the waiver or |
|
|
authorization and may delay implementing that provision until the |
|
|
waiver or authorization is granted. |
|
|
SECTION 34. This Act takes effect September 1, 2019. |