BILL ANALYSIS

 

 

 

C.S.H.B. 4071

By: Shaheen

State Affairs

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

The evolution of the cell phone and newer technologies such as tablet computers has increased productivity and allowed information to be accessible at any time and from anywhere. Endpoint users are now working across multiple public and private cloud, web, and server-hosting platforms. Without secure endpoint devices, device users are overly reliant on an endpoint user to distribute and access information in a secure manner. C.S.H.B. 4071 seeks to ensure the security of state employee technology by establishing security standards for endpoint devices purchased by state agencies.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that rulemaking authority is expressly granted to the Department of Information Resources in SECTION 1 of this bill.

 

ANALYSIS

 

C.S.H.B. 4071 amends the Government Code to establish requirements for the purchase of personal computing goods and multi-functional devices, otherwise known as endpoint devices, by a state agency. To that end, the bill does the following:

·       limits the endpoint devices a state agency may purchase or lease to those devices that meet cybersecurity industry-recognized standards and best practices established by the Department of Information Resources (DIR);

·       authorizes DIR to compile a list of endpoint devices that are approved for purchase by a state agency;

·       establishes that a device on DIR's list satisfies the requirements for purchase or lease by the agency; and

·       requires DIR to update any such list not later than the first anniversary of the date of an amendment to a security standard used in approving a device.

The bill authorizes DIR to adopt rules to implement the bill's provisions relating to the compilation of a list. The bill defines "personal computing goods" and "multi-functional device" and clarifies the meaning of "endpoint device."

 

EFFECTIVE DATE

 

On passage, or, if the bill does not receive the necessary vote, September 1, 2021.

 

 

 

COMPARISON OF ORIGINAL AND SUBSTITUTE

 

While C.S.H.B. 4071 may differ from the original in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill.

 

The substitute gives DIR the discretion to establish the standards that an endpoint device must meet to be approved for purchase by a state agency by replacing requirements in the original that a device meet certain specified federal guidelines, best practices, and cybersecurity framework with a requirement that the device meet cybersecurity industry-recognized standards and best practices established by DIR.

 

The substitute includes wireless communication devices and associated software and network access devices among the devices specifically considered as personal computing goods, whereas the original did not.