| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
| |
|
|
relating to state agency and local government compliance with |
|
|
cybersecurity training requirements. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subchapter A, Chapter 772, Government Code, is |
|
|
amended by adding Section 772.012 to read as follows: |
|
|
Sec. 772.012. COMPLIANCE WITH CYBERSECURITY TRAINING |
|
|
REQUIREMENTS. (a) In this section, "local government" has the |
|
|
meaning assigned by Section 2054.003. |
|
|
(b) To apply for a grant under this chapter, a local |
|
|
government must submit with the grant application a written |
|
|
certification of the local government's compliance with the |
|
|
cybersecurity training required by Section 2054.5191. |
|
|
(c) On a determination by the criminal justice division |
|
|
established under Section 772.006 that a local government awarded a |
|
|
grant under this chapter has not complied with the cybersecurity |
|
|
training required by Section 2054.5191, the local government shall |
|
|
pay to this state an amount equal to the amount of the grant award. |
|
|
A local government that is the subject of a determination described |
|
|
by this subsection is ineligible for another grant under this |
|
|
chapter until the second anniversary of the date the local |
|
|
government is determined ineligible. |
|
|
SECTION 2. The heading to Section 2054.5191, Government |
|
|
Code, is amended to read as follows: |
|
|
Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN |
|
|
EMPLOYEES AND OFFICIALS. |
|
|
SECTION 3. Section 2054.5191, Government Code, is amended |
|
|
by amending Subsections (a-1) and (b) and adding Subsections (a-2), |
|
|
(e), and (f) to read as follows: |
|
|
(a-1) At least once each year, a local government shall: |
|
|
(1) identify local government employees and elected |
|
|
and appointed officials who have access to a local government |
|
|
computer system or database and use a computer to perform at least |
|
|
25 percent of the employee's or official's required duties; and |
|
|
(2) require the [those] employees and [elected] |
|
|
officials identified under Subdivision (1) [of the local |
|
|
government] to complete a cybersecurity training program certified |
|
|
under Section 2054.519 [or offered under Section 2054.519(f)]. |
|
|
(a-2) The governing body of a local government or the |
|
|
governing body's designee may deny access to the local government's |
|
|
computer system or database to an individual described by |
|
|
Subsection (a-1)(1) who the governing body or the governing body's |
|
|
designee determines is noncompliant with the requirements of |
|
|
Subsection (a-1)(2). |
|
|
(b) The governing body of a local government may select the |
|
|
most appropriate cybersecurity training program certified under |
|
|
Section 2054.519 [or offered under Section 2054.519(f)] for |
|
|
employees and officials of the local government to complete. The |
|
|
governing body shall: |
|
|
(1) verify and report on the completion of a |
|
|
cybersecurity training program by employees and officials of the |
|
|
local government to the department; and |
|
|
(2) require periodic audits to ensure compliance with |
|
|
this section. |
|
|
(e) The department shall develop a form for use by state |
|
|
agencies and local governments in verifying completion of |
|
|
cybersecurity training program requirements under this section. |
|
|
The form must allow the state agency and local government to |
|
|
indicate the percentage of employee completion. |
|
|
(f) The requirements of Subsections (a) and (a-1) do not |
|
|
apply to employees and officials who have been: |
|
|
(1) granted military leave; |
|
|
(2) granted leave under the federal Family and Medical |
|
|
Leave Act of 1993 (29 U.S.C. Section 2601 et seq.); |
|
|
(3) granted leave related to a sickness or disability |
|
|
covered by workers' compensation benefits, if that employee no |
|
|
longer has access to the state agency's or local government's |
|
|
database and systems; |
|
|
(4) granted any other type of extended leave or |
|
|
authorization to work from an alternative work site if that |
|
|
employee no longer has access to the state agency's or local |
|
|
government's database and systems; or |
|
|
(5) denied access to a local government's computer |
|
|
system or database by the governing body of the local government or |
|
|
the governing body's designee under Subsection (a-2) for |
|
|
noncompliance with the requirements of Subsection (a-1)(2). |
|
|
SECTION 4. Section 2056.002(b), Government Code, is amended |
|
|
to read as follows: |
|
|
(b) The Legislative Budget Board and the governor's office |
|
|
shall determine the elements required to be included in each |
|
|
agency's strategic plan. Unless modified by the Legislative Budget |
|
|
Board and the governor's office, and except as provided by |
|
|
Subsection (c), a plan must include: |
|
|
(1) a statement of the mission and goals of the state |
|
|
agency; |
|
|
(2) a description of the indicators developed under |
|
|
this chapter and used to measure the output and outcome of the |
|
|
agency; |
|
|
(3) identification of the groups of people served by |
|
|
the agency, including those having service priorities, or other |
|
|
service measures established by law, and estimates of changes in |
|
|
those groups expected during the term of the plan; |
|
|
(4) an analysis of the use of the agency's resources to |
|
|
meet the agency's needs, including future needs, and an estimate of |
|
|
additional resources that may be necessary to meet future needs; |
|
|
(5) an analysis of expected changes in the services |
|
|
provided by the agency because of changes in state or federal law; |
|
|
(6) a description of the means and strategies for |
|
|
meeting the agency's needs, including future needs, and achieving |
|
|
the goals established under Section 2056.006 for each area of state |
|
|
government for which the agency provides services; |
|
|
(7) a description of the capital improvement needs of |
|
|
the agency during the term of the plan and a statement, if |
|
|
appropriate, of the priority of those needs; |
|
|
(8) identification of each geographic region of this |
|
|
state, including the Texas-Louisiana border region and the |
|
|
Texas-Mexico border region, served by the agency, and if |
|
|
appropriate the agency's means and strategies for serving each |
|
|
region; |
|
|
(9) a description of the training of the agency's |
|
|
contract managers under Section 656.052; |
|
|
(10) an analysis of the agency's expected expenditures |
|
|
that relate to federally owned or operated military installations |
|
|
or facilities, or communities where a federally owned or operated |
|
|
military installation or facility is located; |
|
|
(11) an analysis of the strategic use of information |
|
|
resources as provided by the instructions prepared under Section |
|
|
2054.095; [and] |
|
|
(12) a written certification of the agency's |
|
|
compliance with the cybersecurity training required under Sections |
|
|
2054.5191 and 2054.5192; and |
|
|
(13) other information that may be required. |
|
|
SECTION 5. Section 2054.519(f), Government Code, as added |
|
|
by Chapter 1308 (H.B. 3834), Acts of the 86th Legislature, Regular |
|
|
Session, 2019, is repealed. |
|
|
SECTION 6. (a) Section 772.012, Government Code, as added |
|
|
by this Act, applies only to a grant application submitted by a |
|
|
local government on or after September 1, 2021. |
|
|
(b) Section 2056.002(b), Government Code, as amended by |
|
|
this Act, applies only to a strategic plan submitted by a state |
|
|
agency on or after January 1, 2022. |
|
|
SECTION 7. This Act takes effect immediately if it receives |
|
|
a vote of two-thirds of all the members elected to each house, as |
|
|
provided by Section 39, Article III, Texas Constitution. If this |
|
|
Act does not receive the vote necessary for immediate effect, this |
|
|
Act takes effect September 1, 2021. |
|
|
|
|
|
* * * * * |