| |
| |
| |
|
|
AN ACT
|
|
|
relating to cybersecurity for information resources. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subchapter C, Chapter 61, Education Code, is |
|
|
amended by adding Sections 61.09091 and 61.09092 to read as |
|
|
follows: |
|
|
Sec. 61.09091. STRATEGIES TO INCENTIVIZE CYBERSECURITY |
|
|
DEGREE PROGRAMS. (a) The board in collaboration with the |
|
|
Department of Information Resources shall identify and develop |
|
|
strategies to incentivize institutions of higher education to |
|
|
develop degree programs in cybersecurity. |
|
|
(b) The board shall consult with institutions of higher |
|
|
education as necessary to carry out its duties under this section. |
|
|
(c) Not later than September 1, 2020, the board shall submit |
|
|
a written report detailing the strategies identified under this |
|
|
section to the lieutenant governor, the speaker of the house of |
|
|
representatives, the presiding officer of each legislative |
|
|
standing committee with primary jurisdiction over higher |
|
|
education, and each governing board of an institution of higher |
|
|
education. |
|
|
(d) This section expires September 1, 2021. |
|
|
Sec. 61.09092. COORDINATION OF CYBERSECURITY COURSEWORK |
|
|
DEVELOPMENT. (a) In this section, "lower-division institution of |
|
|
higher education" means a public junior college, public state |
|
|
college, or public technical institute. |
|
|
(b) The board, in consultation with the Department of |
|
|
Information Resources, shall coordinate with lower-division |
|
|
institutions of higher education and entities that administer or |
|
|
award postsecondary industry certifications or other workforce |
|
|
credentials in cybersecurity to develop certificate programs or |
|
|
other courses of instruction leading toward those certifications or |
|
|
credentials that may be offered by lower-division institutions of |
|
|
higher education. |
|
|
(c) The board may adopt rules as necessary for the |
|
|
administration of this section. |
|
|
SECTION 2. Section 418.004(1), Government Code, is amended |
|
|
to read as follows: |
|
|
(1) "Disaster" means the occurrence or imminent threat |
|
|
of widespread or severe damage, injury, or loss of life or property |
|
|
resulting from any natural or man-made cause, including fire, |
|
|
flood, earthquake, wind, storm, wave action, oil spill or other |
|
|
water contamination, volcanic activity, epidemic, air |
|
|
contamination, blight, drought, infestation, explosion, riot, |
|
|
hostile military or paramilitary action, extreme heat, |
|
|
cybersecurity event, other public calamity requiring emergency |
|
|
action, or energy emergency. |
|
|
SECTION 3. Subchapter F, Chapter 437, Government Code, is |
|
|
amended by adding Section 437.255 to read as follows: |
|
|
Sec. 437.255. ASSISTING TEXAS STATE GUARD WITH CYBER |
|
|
OPERATIONS. To serve the state and safeguard the public from |
|
|
malicious cyber activity, the governor may command the Texas |
|
|
National Guard to assist the Texas State Guard with defending the |
|
|
state's cyber operations. |
|
|
SECTION 4. The heading to Section 656.047, Government Code, |
|
|
is amended to read as follows: |
|
|
Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION |
|
|
EXAMINATION EXPENSES. |
|
|
SECTION 5. Section 656.047, Government Code, is amended by |
|
|
adding Subsection (a-1) to read as follows: |
|
|
(a-1) A state agency may spend public funds as appropriate |
|
|
to reimburse a state agency employee or administrator who serves in |
|
|
an information technology, cybersecurity, or other cyber-related |
|
|
position for fees associated with industry-recognized |
|
|
certification examinations. |
|
|
SECTION 6. Section 815.103, Government Code, is amended by |
|
|
adding Subsection (g) to read as follows: |
|
|
(g) The retirement system shall comply with cybersecurity |
|
|
and information security standards established by the Department of |
|
|
Information Resources under Chapter 2054. |
|
|
SECTION 7. Section 825.103, Government Code, is amended by |
|
|
amending Subsection (e) and adding Subsection (e-1) to read as |
|
|
follows: |
|
|
(e) Except as provided by Subsection (e-1), Chapters 2054 |
|
|
and 2055 do not apply to the retirement system. The board of |
|
|
trustees shall control all aspects of information technology and |
|
|
associated resources relating to the retirement system, including |
|
|
computer, data management, and telecommunication operations, |
|
|
procurement of hardware, software, and middleware, and |
|
|
telecommunication equipment and systems, location, operation, and |
|
|
replacement of computers, computer systems, and telecommunication |
|
|
systems, data processing, security, disaster recovery, and |
|
|
storage. The Department of Information Resources shall assist the |
|
|
retirement system at the request of the retirement system, and the |
|
|
retirement system may use any service that is available through |
|
|
that department. |
|
|
(e-1) The retirement system shall comply with cybersecurity |
|
|
and information security standards established by the Department of |
|
|
Information Resources under Chapter 2054. |
|
|
SECTION 8. Section 2054.0075, Government Code, is amended |
|
|
to read as follows: |
|
|
Sec. 2054.0075. EXCEPTION: PUBLIC JUNIOR COLLEGE. This |
|
|
chapter does not apply to a public junior college or a public junior |
|
|
college district, except as necessary to comply with information |
|
|
security standards and for participation in shared technology |
|
|
services, including the electronic government project implemented |
|
|
under Subchapter I and statewide technology centers under |
|
|
Subchapter L [except as to Section 2054.119, Government Code]. |
|
|
SECTION 9. Section 2054.0591(a), Government Code, is |
|
|
amended to read as follows: |
|
|
(a) Not later than November 15 of each even-numbered year, |
|
|
the department shall submit to the governor, the lieutenant |
|
|
governor, the speaker of the house of representatives, and the |
|
|
standing committee of each house of the legislature with primary |
|
|
jurisdiction over state government operations a report identifying |
|
|
preventive and recovery efforts the state can undertake to improve |
|
|
cybersecurity in this state. The report must include: |
|
|
(1) an assessment of the resources available to |
|
|
address the operational and financial impacts of a cybersecurity |
|
|
event; |
|
|
(2) a review of existing statutes regarding |
|
|
cybersecurity and information resources technologies; |
|
|
(3) recommendations for legislative action to |
|
|
increase the state's cybersecurity and protect against adverse |
|
|
impacts from a cybersecurity event; and |
|
|
(4) an evaluation of a program that provides an |
|
|
information security officer to assist small state agencies and |
|
|
local governments that are unable to justify hiring a full-time |
|
|
information security officer [the costs and benefits of
|
|
|
cybersecurity insurance; and
|
|
|
[(5)
an evaluation of tertiary disaster recovery
|
|
|
options]. |
|
|
SECTION 10. Section 2054.0594, Government Code, is amended |
|
|
to read as follows: |
|
|
Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS |
|
|
ORGANIZATION [CENTER]. (a) The department shall establish an |
|
|
information sharing and analysis organization [center] to provide a |
|
|
forum for state agencies, local governments, public and private |
|
|
institutions of higher education, and the private sector to share |
|
|
information regarding cybersecurity threats, best practices, and |
|
|
remediation strategies. |
|
|
(b) [The department shall appoint persons from appropriate
|
|
|
state agencies to serve as representatives to the information
|
|
|
sharing and analysis center.
|
|
|
[(c)] The department[, using funds other than funds
|
|
|
appropriated to the department in a general appropriations act,] |
|
|
shall provide administrative support to the information sharing and |
|
|
analysis organization [center]. |
|
|
(c) A participant in the information sharing and analysis |
|
|
organization shall assert any exception available under state or |
|
|
federal law, including Section 552.139, in response to a request |
|
|
for public disclosure of information shared through the |
|
|
organization. Section 552.007 does not apply to information |
|
|
described by this subsection. |
|
|
SECTION 11. Section 2054.068(e), Government Code, is |
|
|
amended to read as follows: |
|
|
(e) The consolidated report required by Subsection (d) |
|
|
must: |
|
|
(1) include an analysis and assessment of each state |
|
|
agency's security and operational risks; and |
|
|
(2) for a state agency found to be at higher security |
|
|
and operational risks, include a detailed analysis of agency |
|
|
efforts to address the risks and related vulnerabilities[, and an
|
|
|
estimate of the costs to implement, the:
|
|
|
[(A)
requirements for the agency to address the
|
|
|
risks and related vulnerabilities; and
|
|
|
[(B)
agency's efforts to address the risks
|
|
|
through the:
|
|
|
[(i)
modernization of information
|
|
|
technology systems;
|
|
|
[(ii) use of cloud services; and
|
|
|
[(iii)
use of a statewide technology center
|
|
|
established by the department]. |
|
|
SECTION 12. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.069 to read as follows: |
|
|
Sec. 2054.069. PRIORITIZED CYBERSECURITY AND LEGACY SYSTEM |
|
|
PROJECTS REPORT. (a) Not later than October 1 of each |
|
|
even-numbered year, the department shall submit a report to the |
|
|
Legislative Budget Board that prioritizes, for the purpose of |
|
|
receiving funding, state agency: |
|
|
(1) cybersecurity projects; and |
|
|
(2) projects to modernize or replace legacy systems, |
|
|
as defined by Section 2054.571. |
|
|
(b) Each state agency shall coordinate with the department |
|
|
to implement this section. |
|
|
(c) A state agency shall assert any exception available |
|
|
under state or federal law, including Section 552.139, in response |
|
|
to a request for public disclosure of information contained in or |
|
|
written, produced, collected, assembled, or maintained in |
|
|
connection with the report under Subsection (a). Section 552.007 |
|
|
does not apply to information described by this subsection. |
|
|
SECTION 13. Sections 2054.077(b) and (d), Government Code, |
|
|
are amended to read as follows: |
|
|
(b) The information security officer [resources manager] of |
|
|
a state agency shall prepare or have prepared a report, including an |
|
|
executive summary of the findings of the biennial report, not later |
|
|
than October 15 of each even-numbered year, assessing the extent to |
|
|
which a computer, a computer program, a computer network, a |
|
|
computer system, a printer, an interface to a computer system, |
|
|
including mobile and peripheral devices, computer software, or data |
|
|
processing of the agency or of a contractor of the agency is |
|
|
vulnerable to unauthorized access or harm, including the extent to |
|
|
which the agency's or contractor's electronically stored |
|
|
information is vulnerable to alteration, damage, erasure, or |
|
|
inappropriate use. |
|
|
(d) The information security officer [resources manager] |
|
|
shall provide an electronic copy of the vulnerability report on its |
|
|
completion to: |
|
|
(1) the department; |
|
|
(2) the state auditor; |
|
|
(3) the agency's executive director; |
|
|
(4) the agency's designated information resources |
|
|
manager; and |
|
|
(5) [(4)] any other information technology security |
|
|
oversight group specifically authorized by the legislature to |
|
|
receive the report. |
|
|
SECTION 14. Section 2054.1125, Government Code, is amended |
|
|
by amending Subsection (b) and adding Subsection (c) to read as |
|
|
follows: |
|
|
(b) A state agency that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information, |
|
|
confidential information, or information the disclosure of which is |
|
|
regulated by law shall, in the event of a breach or suspected breach |
|
|
of system security or an unauthorized exposure of that information: |
|
|
(1) comply with the notification requirements of |
|
|
Section 521.053, Business & Commerce Code, to the same extent as a |
|
|
person who conducts business in this state; and |
|
|
(2) not later than 48 hours after the discovery of the |
|
|
breach, suspected breach, or unauthorized exposure, notify: |
|
|
(A) the department, including the chief |
|
|
information security officer [and the state cybersecurity
|
|
|
coordinator]; or |
|
|
(B) if the breach, suspected breach, or |
|
|
unauthorized exposure involves election data, the secretary of |
|
|
state. |
|
|
(c) Not later than the 10th business day after the date of |
|
|
the eradication, closure, and recovery from a breach, suspected |
|
|
breach, or unauthorized exposure, a state agency shall notify the |
|
|
department, including the chief information security officer, of |
|
|
the details of the event and include in the notification an analysis |
|
|
of the cause of the event. |
|
|
SECTION 15. Section 2054.133(e), Government Code, is |
|
|
amended to read as follows: |
|
|
(e) Each state agency shall include in the agency's |
|
|
information security plan a written document that is signed by |
|
|
[acknowledgment that] the [executive director or other] head of the |
|
|
agency, the chief financial officer, and each executive manager |
|
|
[as] designated by the state agency and states that those persons |
|
|
have been made aware of the risks revealed during the preparation of |
|
|
the agency's information security plan. |
|
|
SECTION 16. Section 2054.516, Government Code, as added by |
|
|
Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th |
|
|
Legislature, Regular Session, 2017, is reenacted and amended to |
|
|
read as follows: |
|
|
Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE |
|
|
APPLICATIONS. (a) Each state agency[, other than an institution
|
|
|
of higher education subject to Section 2054.517,] implementing an |
|
|
Internet website or mobile application that processes any sensitive |
|
|
personal or personally identifiable information or confidential |
|
|
information must: |
|
|
(1) submit a biennial data security plan to the |
|
|
department not later than October 15 of each even-numbered year to |
|
|
establish planned beta testing for the website or application; and |
|
|
(2) subject the website or application to a |
|
|
vulnerability and penetration test and address any vulnerability |
|
|
identified in the test. |
|
|
(b) The department shall review each data security plan |
|
|
submitted under Subsection (a) and make any recommendations for |
|
|
changes to the plan to the state agency as soon as practicable after |
|
|
the department reviews the plan. |
|
|
SECTION 17. Subchapter N-1, Chapter 2054, Government Code, |
|
|
is amended by adding Section 2054.519 to read as follows: |
|
|
Sec. 2054.519. CYBERSTAR PROGRAM; CERTIFICATE OF APPROVAL. |
|
|
(a) The state cybersecurity coordinator, in collaboration with |
|
|
the cybersecurity council and public and private entities in this |
|
|
state, shall develop best practices for cybersecurity that include: |
|
|
(1) measureable, flexible, and voluntary |
|
|
cybersecurity risk management programs for public and private |
|
|
entities to adopt to prepare for and respond to cyber incidents that |
|
|
compromise the confidentiality, integrity, and availability of the |
|
|
entities' information systems; |
|
|
(2) appropriate training and information for |
|
|
employees or other individuals who are most responsible for |
|
|
maintaining security of the entities' information systems; |
|
|
(3) consistency with the National Institute of |
|
|
Standards and Technology standards for cybersecurity; |
|
|
(4) public service announcements to encourage |
|
|
cybersecurity awareness; and |
|
|
(5) coordination with local and state governmental |
|
|
entities. |
|
|
(b) The state cybersecurity coordinator shall establish a |
|
|
cyberstar certificate program to recognize public and private |
|
|
entities that implement the best practices for cybersecurity |
|
|
developed in accordance with Subsection (a). The program must |
|
|
allow a public or private entity to submit to the department a form |
|
|
certifying that the entity has complied with the best practices and |
|
|
the department to issue a certificate of approval to the entity. |
|
|
The entity may include the certificate of approval in |
|
|
advertisements and other public communications. |
|
|
SECTION 18. Chapter 2054, Government Code, is amended by |
|
|
adding Subchapter R to read as follows: |
|
|
SUBCHAPTER R. INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES |
|
|
Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each |
|
|
state agency and local government shall, in the administration of |
|
|
the agency or local government, consider using next generation |
|
|
technologies, including cryptocurrency, blockchain technology, and |
|
|
artificial intelligence. |
|
|
Sec. 2054.602. LIABILITY EXEMPTION. A person who in good |
|
|
faith discloses to a state agency or other governmental entity |
|
|
information regarding a potential security issue with respect to |
|
|
the agency's or entity's information resources technologies is not |
|
|
liable for any civil damages resulting from disclosing the |
|
|
information unless the person stole, retained, or sold any data |
|
|
obtained as a result of the security issue. |
|
|
SECTION 19. Section 2059.058(b), Government Code, is |
|
|
amended to read as follows: |
|
|
(b) In addition to the department's duty to provide network |
|
|
security services to state agencies under this chapter, the |
|
|
department by agreement may provide network security to: |
|
|
(1) each house of the legislature; |
|
|
(2) an agency that is not a state agency, including a |
|
|
legislative agency; |
|
|
(3) a political subdivision of this state, including a |
|
|
county, municipality, or special district; [and] |
|
|
(4) an independent organization, as defined by Section |
|
|
39.151, Utilities Code; and |
|
|
(5) a public junior college. |
|
|
SECTION 20. Section 1702.104, Occupations Code, is amended |
|
|
by adding Subsection (c) to read as follows: |
|
|
(c) The review and analysis of computer-based data for the |
|
|
purpose of preparing for or responding to a cybersecurity event |
|
|
does not constitute an investigation for purposes of this section |
|
|
and does not require licensing under this chapter. |
|
|
SECTION 21. Chapter 31, Utilities Code, is amended by |
|
|
designating Sections 31.001 through 31.005 as Subchapter A and |
|
|
adding a subchapter heading to read as follows: |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
SECTION 22. Chapter 31, Utilities Code, is amended by |
|
|
adding Subchapter B to read as follows: |
|
|
SUBCHAPTER B. CYBERSECURITY |
|
|
Sec. 31.051. DEFINITION. In this subchapter, "utility" |
|
|
means: |
|
|
(1) an electric cooperative; |
|
|
(2) an electric utility; |
|
|
(3) a municipally owned electric utility; or |
|
|
(4) a transmission and distribution utility. |
|
|
Sec. 31.052. CYBERSECURITY COORDINATION PROGRAM FOR |
|
|
UTILITIES. (a) The commission shall establish a program to |
|
|
monitor cybersecurity efforts among utilities in this state. The |
|
|
program shall: |
|
|
(1) provide guidance on best practices in |
|
|
cybersecurity and facilitate the sharing of cybersecurity |
|
|
information between utilities; and |
|
|
(2) provide guidance on best practices for |
|
|
cybersecurity controls for supply chain risk management of |
|
|
cybersecurity systems used by utilities, which may include, as |
|
|
applicable, best practices related to: |
|
|
(A) software integrity and authenticity; |
|
|
(B) vendor risk management and procurement |
|
|
controls, including notification by vendors of incidents related to |
|
|
the vendor's products and services; and |
|
|
(C) vendor remote access. |
|
|
(b) The commission may collaborate with the state |
|
|
cybersecurity coordinator and the cybersecurity council |
|
|
established under Chapter 2054, Government Code, in implementing |
|
|
the program. |
|
|
SECTION 23. Section 39.151, Utilities Code, is amended by |
|
|
adding Subsections (o) and (p) to read as follows: |
|
|
(o) An independent organization certified by the commission |
|
|
under this section shall: |
|
|
(1) conduct internal cybersecurity risk assessment, |
|
|
vulnerability testing, and employee training to the extent the |
|
|
independent organization is not otherwise required to do so under |
|
|
applicable state and federal cybersecurity and information |
|
|
security laws; and |
|
|
(2) submit a report annually to the commission on the |
|
|
independent organization's compliance with applicable |
|
|
cybersecurity and information security laws. |
|
|
(p) Information submitted in a report under Subsection (o) |
|
|
is confidential and not subject to disclosure under Chapter 552, |
|
|
Government Code. |
|
|
SECTION 24. Sections 2054.119, 2054.513, and 2054.517, |
|
|
Government Code, are repealed. |
|
|
SECTION 25. To the extent of any conflict, this Act prevails |
|
|
over another Act of the 86th Legislature, Regular Session, 2019, |
|
|
relating to nonsubstantive additions and corrections in enacted |
|
|
codes. |
|
|
SECTION 26. This Act takes effect September 1, 2019. |
|
|
|
|
|
|
| |
| |
| |
| |
______________________________ |
______________________________ |
| |
President of the Senate |
Speaker of the House |
| |
|
|
I hereby certify that S.B. No. 64 passed the Senate on |
|
|
April 26, 2019, by the following vote: Yeas 30, Nays 0; and that |
|
|
the Senate concurred in House amendments on May 24, 2019, by the |
|
|
following vote: Yeas 31, Nays 0. |
|
|
|
| |
| |
______________________________ |
| |
Secretary of the Senate |
| |
|
|
I hereby certify that S.B. No. 64 passed the House, with |
|
|
amendments, on May 22, 2019, by the following vote: Yeas 142, |
|
|
Nays 1, two present not voting. |
|
|
|
| |
| |
______________________________ |
| |
Chief Clerk of the House |
| |
|
|
|
| |
|
|
Approved: |
|
|
|
|
|
______________________________ |
|
|
Date |
|
|
|
|
|
|
|
|
______________________________ |
|
|
Governor |