By: Capriglione (Senate Sponsor - Paxton) H.B. No. 1118
         (In the Senate - Received from the House April 8, 2021;
  April 12, 2021, read first time and referred to Committee on
  Finance; April 21, 2021, reported adversely, with favorable
  Committee Substitute by the following vote:  Yeas 14, Nays 0;
  April 21, 2021, sent to printer.)
Click here to see the committee vote
 
  COMMITTEE SUBSTITUTE FOR H.B. No. 1118 By:  West
 
 
A BILL TO BE ENTITLED
 
AN ACT
 
  relating to state agency and local government compliance with
  cybersecurity training requirements.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subchapter A, Chapter 772, Government Code, is
  amended by adding Section 772.012 to read as follows:
         Sec. 772.012.  COMPLIANCE WITH CYBERSECURITY TRAINING
  REQUIREMENTS. (a) In this section, "local government" has the
  meaning assigned by Section 2054.003.
         (b)  To apply for a grant under this chapter, a local
  government must submit with the grant application a written
  certification of the local government's compliance with the
  cybersecurity training required by Section 2054.5191.
         (c)  On a determination by the criminal justice division
  established under Section 772.006 that a local government awarded a
  grant under this chapter has not complied with the cybersecurity
  training required by Section 2054.5191, the local government shall
  pay to this state an amount equal to the amount of the grant award.
  A local government that is the subject of a determination described
  by this subsection is ineligible for another grant under this
  chapter until the second anniversary of the date the local
  government is determined ineligible.
         SECTION 2.  The heading to Section 2054.5191, Government
  Code, is amended to read as follows:
         Sec. 2054.5191.  CYBERSECURITY TRAINING REQUIRED: CERTAIN
  EMPLOYEES AND OFFICIALS.
         SECTION 3.  Section 2054.5191, Government Code, is amended
  by amending Subsections (a-1) and (b) and adding Subsections (a-2),
  (e), and (f) to read as follows:
         (a-1)  At least once each year, a local government shall:
               (1)  identify local government employees and elected
  and appointed officials who have access to a local government
  computer system or database and use a computer to perform at least
  25 percent of the employee's or official's required duties; and
               (2)  require the [those] employees and [elected]
  officials identified under Subdivision (1) [of the local
  government] to complete a cybersecurity training program certified
  under Section 2054.519 [or offered under Section 2054.519(f)].
         (a-2)  The governing body of a local government or the
  governing body's designee may deny access to the local government's
  computer system or database to an individual described by
  Subsection (a-1)(1) who the governing body or the governing body's
  designee determines is noncompliant with the requirements of
  Subsection (a-1)(2).
         (b)  The governing body of a local government may select the
  most appropriate cybersecurity training program certified under
  Section 2054.519 [or offered under Section 2054.519(f)] for
  employees and officials of the local government to complete. The
  governing body shall:
               (1)  verify and report on the completion of a
  cybersecurity training program by employees and officials of the
  local government to the department; and
               (2)  require periodic audits to ensure compliance with
  this section.
         (e)  The department shall develop a form for use by state
  agencies and local governments in verifying completion of
  cybersecurity training program requirements under this section.
  The form must allow the state agency and local government to
  indicate the percentage of employee completion.
         (f)  The requirements of Subsections (a) and (a-1) do not
  apply to employees and officials who have been:
               (1)  granted military leave;
               (2)  granted leave under the federal Family and Medical
  Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);
               (3)  granted leave related to a sickness or disability
  covered by workers' compensation benefits, if that employee no
  longer has access to the state agency's or local government's
  database and systems;
               (4)  granted any other type of extended leave or
  authorization to work from an alternative work site if that
  employee no longer has access to the state agency's or local
  government's database and systems; or
               (5)  denied access to a local government's computer
  system or database by the governing body of the local government or
  the governing body's designee under Subsection (a-2) for
  noncompliance with the requirements of Subsection (a-1)(2).
         SECTION 4.  Section 2056.002(b), Government Code, is amended
  to read as follows:
         (b)  The Legislative Budget Board and the governor's office
  shall determine the elements required to be included in each
  agency's strategic plan. Unless modified by the Legislative Budget
  Board and the governor's office, and except as provided by
  Subsection (c), a plan must include:
               (1)  a statement of the mission and goals of the state
  agency;
               (2)  a description of the indicators developed under
  this chapter and used to measure the output and outcome of the
  agency;
               (3)  identification of the groups of people served by
  the agency, including those having service priorities, or other
  service measures established by law, and estimates of changes in
  those groups expected during the term of the plan;
               (4)  an analysis of the use of the agency's resources to
  meet the agency's needs, including future needs, and an estimate of
  additional resources that may be necessary to meet future needs;
               (5)  an analysis of expected changes in the services
  provided by the agency because of changes in state or federal law;
               (6)  a description of the means and strategies for
  meeting the agency's needs, including future needs, and achieving
  the goals established under Section 2056.006 for each area of state
  government for which the agency provides services;
               (7)  a description of the capital improvement needs of
  the agency during the term of the plan and a statement, if
  appropriate, of the priority of those needs;
               (8)  identification of each geographic region of this
  state, including the Texas-Louisiana border region and the
  Texas-Mexico border region, served by the agency, and if
  appropriate the agency's means and strategies for serving each
  region;
               (9)  a description of the training of the agency's
  contract managers under Section 656.052;
               (10)  an analysis of the agency's expected expenditures
  that relate to federally owned or operated military installations
  or facilities, or communities where a federally owned or operated
  military installation or facility is located;
               (11)  an analysis of the strategic use of information
  resources as provided by the instructions prepared under Section
  2054.095; [and]
               (12)  a written certification of the agency's
  compliance with the cybersecurity training required under Sections
  2054.5191 and 2054.5192; and
               (13)  other information that may be required.
         SECTION 5.  Section 2054.519(f), Government Code, as added
  by Chapter 1308 (H.B. 3834), Acts of the 86th Legislature, Regular
  Session, 2019, is repealed.
         SECTION 6.  (a) Section 772.012, Government Code, as added
  by this Act, applies only to a grant application submitted by a
  local government on or after September 1, 2021.
         (b)  Section 2056.002(b), Government Code, as amended by
  this Act, applies only to a strategic plan submitted by a state
  agency on or after January 1, 2022.
         SECTION 7.  This Act takes effect immediately if it receives
  a vote of two-thirds of all the members elected to each house, as
  provided by Section 39, Article III, Texas Constitution.  If this
  Act does not receive the vote necessary for immediate effect, this
  Act takes effect September 1, 2021.
 
  * * * * *