Honorable Dade Phelan, Chair, House Committee on State Affairs
FROM:
John McGeady, Assistant Director Sarah Keyton, Assistant Director Legislative Budget Board
IN RE:
HB4214 by Capriglione (Relating to matters concerning governmental entities, including cybersecurity, governmental efficiencies, information resources, and emergency planning.), As Introduced
The fiscal implications of the bill are indeterminate, but costs associated with the bill could be significant. The impact would largely be related to provisions of the bill requiring each agency to implement a constant monitoring program and contract with an independent contractor to conduct an independent assessment of each agency's exposure to information security risks. The minimum costs associated with the bill would be $3.8 million in General Revenue Funds through the biennium ending August 31, 2021.
Chief Innovation Officer
The bill would require the Governor to appoint a chief innovation officer (CIO). The CIO would be required to develop processes and procedures to improve state government efficiency and performance; develop methods to improve the experience of residents, businesses, and local governments in interacting with state government; increase the use of technology by state agencies; provide training; and develop performance measures. The Office of the Governor estimates a cost of $423,790 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
Information Security Continuous Monitoring Program
The bill would require each state agency to develop and maintain an information security continuous monitoring program that allows the agency to maintain awareness of the security and vulnerabilities of and threats to the agency's information resources. The bill would require each agency to evaluate and upgrade information resource technologies and deploy new products as necessary to support information security continuous monitoring and require that each provider hosting state information meet state standards. Costs associated with implementing this provision of the bill could be significant to state agencies. For example, the Texas A&M System estimates a cost of $25,000 to $100,000 per member institution per year to implement this provision of the bill. The Library and Archives Commission estimates a cost of $270,357 in General Revenue Funds in fiscal year 2020 and $120,357 in General Revenue Funds in each subsequent year to implement this provision of the bill. The Texas Medical Board estimates a cost of $161,960 in General Revenue Funds in fiscal year 2020 and $94,460 in General Revenue Funds in each subsequent year to implement this provision of the bill.
The bill would require that DIR oversee the implementation of the provisions related to information security continuous monitoring at each state agency. DIR estimates a cost of $1.1 million in General Revenue Funds for the 2020-21 biennium to implement this provision of the bill.
Independent Risk Assessments
The bill would require each state agency, at least once every five years, to contract with an independent third party selected from a list approved by DIR to conduct an independent risk assessment of the agency's exposure to security risks in the agency's information resources systems. The costs to state agencies to implement this provision of the bill in the biennium would likely be significant but cannot be determined. Each state agency has discretion as to the timing of the risk assessment and an agency may not conduct the assessment in the biennium ending August 31, 2021. For example, the Texas A&M System estimates that the risk assessment would range in cost from $25,000 to $500,000 for each member institution, with a five-year cost of $4.4 million in All Funds. The Library and Archives Commission estimates a that the risk assessment would cost $50,000 every five years. The Board of Pharmacy estimates that a risk assessment would cost $60,000 every five years. The Texas Department of Transportation estimates that a risk assessment would cost between $200,000 and $500,000 every five years.
The bill would require DIR to compile the results of the independent risk assessments into a public report and into a confidential report of specific risks and vulnerabilities. DIR would be required to submit an annual report on the results of the independent risk assessments to the legislature. DIR estimates a cost of $102,756 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
Other Provisions
The bill would authorize the executive staff of a state agency to participate in cybersecurity threat simulation exercises to test the cybersecurity capabilities of the agency. DIR estimates a cost of $100,000 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
The bill would require DIR to develop a cybersecurity threat assessment for local governments that provides best practices for preventing cybersecurity attacks. The bill would require DIR to maintain and promote a centralized repository of information on cybersecurity education and training that is available to any governmental entity in the state. DIR estimates a cost of $25,689 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
The bill would require DIR to periodically review guidelines on state agency information that may be stored by a cloud computing or other storage service and the cloud computing or other storage services available to state agencies to ensure that an agency purchasing a major information resource project selects the most affordable, secure, and efficient storage service available to the agency. The guidelines must include appropriate privacy and security standards. DIR estimates a cost of $513,780 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
The bill would require the Homeland Security Council to conduct a study regarding cyber incidents affecting state agencies and critical infrastructure that is owned, operated, or controlled by the agencies. The study would include a comprehensive state response plan that each agency would use to develop an agency-specific response plan.
The bill would require DIR to provide training on cybersecurity measures and awareness to new employees of state agencies. DIR estimates a cost of $275,689 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
The bill would require DIR to develop a comprehensive set of risk-based standards for the Internet connectivity of computing devices embedded in objects used or purchased by state agencies.
The bill would require DIR to conduct a study on the types of objects embedded with computing devices that are connected to the internet that are purchased through DIR and submit a report on the study to the legislature. DIR estimates a cost of $500,000 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
The bill would amend Section 37.108(b) of the Education Code to require each school district or public junior college district to conduct an information technology cybersecurity assessment at least once every three years.
The bill would require the state cybersecurity coordinator to develop best practices for cybersecurity for state and local governments. The bill would require the cybersecurity coordinator to create the cyberstar certificate program to recognize public and private entities that implement the best practices for cybersecurity. The bill would require the cybersecurity coordinator to conduct an annual public event to promote best practices for cybersecurity. DIR estimates a cost of $102,756 in General Revenue Funds in the 2020-21 biennium to implement this provision of the bill.
The bill would require the cybersecurity coordinator to establish and operate up to 20 regional information sharing and analysis systems. The service area boundaries for the regional centers are coextensive with the regional education service centers. The bill would require a political subdivision to report a breach of system security to the regional information sharing and analysis system, not later than 48 hours after discovering the breach. The regional information sharing and analysis system is required to report breaches to DIR. DIR estimates a cost of $643,780 in General Revenue Funds in the 2020-21 biennium to implement these provisions of the bill.
The bill would create a matching grant program for local cybersecurity projects to be administered by the Office of the Governor.
For the provisions of the bill related to DIR, this analysis assumes General Revenue would be appropriated as the method of finance. To the extent that General Revenue is not provided, it is assumed that DIR would fund the costs through administrative fees charged to purchases through the agency's Cooperative Contracts program, deposited as appropriated receipts to the Clearing Fund (Other Funds). DIR may be required to increase the administrative cost percentage to generate sufficient revenue to implement the bill's provisions.
Local Government Impact
There could be a cost to school districts or public junior colleges, but the cost is unknown and would depend on the extent to which these districts already conduct these assessments.
According to the Texas Municipal League, no significant fiscal implication to municipalities is anticipated.
Source Agencies:
300 Trusteed Programs Within the Office of the Governor, 306 Library & Archives Commission, 313 Department of Information Resources, 320 Texas Workforce Commission, 323 Teacher Retirement System, 405 Department of Public Safety, 503 Texas Medical Board, 515 Board of Pharmacy, 529 Health and Human Services Commission, 601 Department of Transportation, 701 Texas Education Agency, 710 Texas A&M University System Administrative and General Offices, 720 The University of Texas System Administration, 781 Higher Education Coordinating Board