| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to matters concerning governmental entities, including |
|
|
cybersecurity, governmental efficiencies, information resources, |
|
|
and emergency planning. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 37.108(b), Education Code, is amended to |
|
|
read as follows: |
|
|
(b) At least once every three years, each school district or |
|
|
public junior college district shall conduct a safety and security |
|
|
audit of the district's facilities, including an information |
|
|
technology cybersecurity assessment. To the extent possible, a |
|
|
district shall follow safety and security audit procedures |
|
|
developed by the Texas School Safety Center or a person included in |
|
|
the registry established by the Texas School Safety Center under |
|
|
Section 37.2091. |
|
|
SECTION 2. Subchapter A, Chapter 31, Election Code, is |
|
|
amended by adding Section 31.017 to read as follows: |
|
|
Sec. 31.017. STUDY ON USE OF ARTIFICIAL INTELLIGENCE FOR |
|
|
SIGNATURE VERIFICATION. (a) The secretary of state shall conduct a |
|
|
study on the use of artificial intelligence to verify signatures on |
|
|
carrier envelope certificates for early voting ballots voted by |
|
|
mail. In conducting the study, the secretary of state must consider |
|
|
other states' experiences using that method of signature |
|
|
verification, as well as other studies published on the subject. |
|
|
(b) Not later than September 1, 2022, the secretary of state |
|
|
shall prepare and deliver a report on the study's findings to the |
|
|
committees of each house of the legislature with primary |
|
|
jurisdiction over elections. |
|
|
(c) This section expires December 1, 2022. |
|
|
SECTION 3. Subchapter B, Chapter 421, Government Code, is |
|
|
amended by adding Section 421.027 to read as follows: |
|
|
Sec. 421.027. CYBER INCIDENT STUDY AND RESPONSE PLAN. (a) |
|
|
In this section: |
|
|
(1) "Cyber incident" means an event occurring on or |
|
|
conducted through a computer network that actually or imminently |
|
|
jeopardizes the integrity, confidentiality, or availability of |
|
|
computers, information or communications systems or networks, |
|
|
physical or virtual infrastructure controlled by computers or |
|
|
information systems, or information on the computers or systems. |
|
|
The term includes a vulnerability in implementation or in an |
|
|
information system, system security procedure, or internal control |
|
|
that could be exploited by a threat source. |
|
|
(2) "Significant cyber incident" means a cyber |
|
|
incident, or a group of related cyber incidents, likely to result in |
|
|
demonstrable harm to state security interests, foreign relations, |
|
|
or the economy of this state or to the public confidence, civil |
|
|
liberties, or public health and safety of the residents of this |
|
|
state. |
|
|
(b) The council, in cooperation with the Department of |
|
|
Information Resources, shall: |
|
|
(1) conduct a study regarding cyber incidents and |
|
|
significant cyber incidents affecting state agencies and critical |
|
|
infrastructure that is owned, operated, or controlled by agencies; |
|
|
and |
|
|
(2) develop a comprehensive state response plan to |
|
|
provide a format for each state agency to develop an |
|
|
agency-specific response plan and to implement the plan into the |
|
|
agency's information security plan required under Section 2054.133 |
|
|
to be implemented by the agency in the event of a cyber incident or |
|
|
significant cyber incident affecting the agency or critical |
|
|
infrastructure that is owned, operated, or controlled by the |
|
|
agency. |
|
|
(c) Not later than September 1, 2022, the council shall |
|
|
deliver the response plan and a report on the findings of the study |
|
|
to: |
|
|
(1) the public safety director of the Department of |
|
|
Public Safety; |
|
|
(2) the governor; |
|
|
(3) the lieutenant governor; |
|
|
(4) the speaker of the house of representatives; |
|
|
(5) the chair of the committee of the senate having |
|
|
primary jurisdiction over homeland security matters; and |
|
|
(6) the chair of the committee of the house of |
|
|
representatives having primary jurisdiction over homeland security |
|
|
matters. |
|
|
(d) The response plan required by Subsection (b) and the |
|
|
report required by Subsection (c) are not public information for |
|
|
purposes of Chapter 552. |
|
|
(e) This section expires December 1, 2022. |
|
|
SECTION 4. Subchapter L, Chapter 441, Government Code, is |
|
|
amended by adding Sections 441.1825 and 441.1856 to read as |
|
|
follows: |
|
|
Sec. 441.1825. STATE INFORMATION GOVERNANCE COORDINATOR. |
|
|
(a) The director and librarian shall employ a state information |
|
|
governance coordinator in the commission's records management |
|
|
division. |
|
|
(b) The state information governance coordinator shall: |
|
|
(1) ensure records management programs are |
|
|
implemented by state agencies for all media types; |
|
|
(2) assist state agencies in complying with the |
|
|
agencies' records management programs; and |
|
|
(3) increase overall awareness and outreach for state |
|
|
agency records management programs. |
|
|
Sec. 441.1856. TEXAS DIGITAL ARCHIVE. (a) The commission |
|
|
shall maintain and operate a digital repository for the |
|
|
preservation of and access to permanently valuable archival state |
|
|
records, reports, and publications. |
|
|
(b) The commission, in collaboration with the Department of |
|
|
Information Resources, shall develop a strategy, consistent with |
|
|
state records management and archival practices, for state agencies |
|
|
to transfer appropriate archival state records that are in |
|
|
electronic format to the commission for inclusion in the digital |
|
|
repository described by Subsection (a). |
|
|
SECTION 5. Section 441.183, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 441.183. RECORDS MANAGEMENT PROGRAMS IN STATE |
|
|
AGENCIES. (a) The agency head of each state agency shall: |
|
|
(1) establish and maintain a records management |
|
|
program on a continuing and active basis; |
|
|
(2) create and maintain records containing adequate |
|
|
and proper documentation of the organization, functions, policies, |
|
|
decisions, procedures, and essential transactions of the agency |
|
|
designed to furnish information to protect the financial and legal |
|
|
rights of the state and any person affected by the activities of the |
|
|
agency; |
|
|
(3) make certain that all records of the agency are |
|
|
passed to the agency head's successor in the position of agency |
|
|
head; |
|
|
(4) identify and take adequate steps to protect |
|
|
confidential and vital state records; |
|
|
(5) cooperate with the commission in the conduct of |
|
|
state agency records management surveys; and |
|
|
(6) cooperate with the commission, the director and |
|
|
librarian, and any other authorized designee of the director and |
|
|
librarian in fulfilling their duties under this subchapter. |
|
|
(b) This subsection applies only to a state agency that is a |
|
|
department, commission, board, office, or other agency in the |
|
|
executive branch of state government. This subsection does not |
|
|
apply to an institution of higher education, as defined by Section |
|
|
61.003, Education Code. As part of a records management program |
|
|
established under Subsection (a), the agency head of a state agency |
|
|
to which this subsection applies shall require training for agency |
|
|
employees, annually and on employment with the agency, regarding |
|
|
the records management program, including the agency's approved |
|
|
records retention schedule. |
|
|
SECTION 6. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.0695 to read as follows: |
|
|
Sec. 2054.0695. SECURITY PROGRAM FOR INTERNET CONNECTIVITY |
|
|
OF CERTAIN OBJECTS. (a) The department, in consultation with |
|
|
representatives of the information technology industry and |
|
|
voluntary standards organizations and the 10 state agencies that |
|
|
received the most state appropriations for that state fiscal year |
|
|
as determined by the Legislative Budget Board, shall develop a |
|
|
comprehensive risk management program that identifies baseline |
|
|
security features for the Internet connectivity of computing |
|
|
devices embedded in objects used or purchased by state agencies. |
|
|
(b) In developing the program under Subsection (a), the |
|
|
department shall identify and use existing international security |
|
|
standards and best practices and any known security gaps for a range |
|
|
of deployments, including critical systems and consumer usage. |
|
|
SECTION 7. Section 2054.512(d), Government Code, is amended |
|
|
to read as follows: |
|
|
(d) The cybersecurity council shall: |
|
|
(1) consider the costs and benefits of establishing a |
|
|
computer emergency readiness team to address cyber attacks |
|
|
occurring in this state during routine and emergency situations; |
|
|
(2) establish criteria and priorities for addressing |
|
|
cybersecurity threats to critical state installations; |
|
|
(3) consolidate and synthesize best practices to |
|
|
assist state agencies in understanding and implementing |
|
|
cybersecurity measures that are most beneficial to this state; |
|
|
[and] |
|
|
(4) assess the knowledge, skills, and capabilities of |
|
|
the existing information technology and cybersecurity workforce to |
|
|
mitigate and respond to cyber threats and develop recommendations |
|
|
for addressing immediate workforce deficiencies and ensuring a |
|
|
long-term pool of qualified applicants; and |
|
|
(5) ensure all middle and high schools have knowledge |
|
|
of and access to: |
|
|
(A) free cybersecurity courses and curriculum |
|
|
approved by the Texas Education Agency; |
|
|
(B) state and regional information sharing and |
|
|
analysis centers; and |
|
|
(C) contracting benefits, including as provided |
|
|
by Section 2054.0565. |
|
|
SECTION 8. Subchapter N-1, Chapter 2054, Government Code, |
|
|
is amended by adding Sections 2054.517 and 2054.5172 to read as |
|
|
follows: |
|
|
Sec. 2054.517. VENDOR RESPONSIBILITY FOR CYBERSECURITY. A |
|
|
vendor that contracts with this state to provide information |
|
|
resources technology for a state agency at a cost to the agency of |
|
|
$1 million or more is responsible for addressing known |
|
|
cybersecurity risks associated with the technology and is |
|
|
responsible for any cost associated with addressing the identified |
|
|
cybersecurity risks. For a major information resources project, |
|
|
the vendor shall provide to state agency contracting personnel: |
|
|
(1) a written attestation that: |
|
|
(A) the vendor has a cybersecurity risk |
|
|
management program consistent with: |
|
|
(i) the cybersecurity framework |
|
|
established by the National Institute of Standards and Technology; |
|
|
(ii) the 27000 series standards for |
|
|
information security published by the International Organization |
|
|
for Standardization; or |
|
|
(iii) other widely accepted security risk |
|
|
management frameworks; |
|
|
(B) the vendor's cybersecurity risk management |
|
|
program includes appropriate training and certifications for the |
|
|
employees performing work under the contract; and |
|
|
(C) the vendor has a vulnerability management |
|
|
program that addresses vulnerability identification, mitigation, |
|
|
and responsible disclosure, as appropriate; and |
|
|
(2) an initial summary of any costs associated with |
|
|
addressing or remediating the identified technology or |
|
|
personnel-related cybersecurity risks as identified in |
|
|
collaboration with this state following a risk assessment. |
|
|
Sec. 2054.5172. ENCRYPTED SECURE LAYER SERVICES REQUIRED. |
|
|
Each state agency that maintains a publicly accessible Internet |
|
|
website that requires the submission of sensitive personally |
|
|
identifiable information shall use an encrypted secure |
|
|
communication protocol, including a secure hypertext transfer |
|
|
protocol. |
|
|
SECTION 9. Subchapter B, Chapter 2155, Government Code, is |
|
|
amended by adding Section 2155.092 to read as follows: |
|
|
Sec. 2155.092. VENDOR CERTIFICATION FOR CERTAIN GOODS. (a) |
|
|
This section does not apply to a good provided as part of a major |
|
|
information resources project as defined by Section 2054.003. |
|
|
(b) A vendor offering to sell to the state a good embedded |
|
|
with a computing device capable of Internet connectivity must |
|
|
include with each bid, offer, proposal, or other expression of |
|
|
interest a written certification providing that the good does not |
|
|
contain, at the time of submitting the bid, offer, proposal, or |
|
|
expression of interest, a hardware, software, or firmware component |
|
|
with any known security vulnerability or defect. |
|
|
SECTION 10. Section 205.010(b), Local Government Code, is |
|
|
amended to read as follows: |
|
|
(b) A local government that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information |
|
|
shall comply, in the event of a breach of system security, with the |
|
|
notification requirements of: |
|
|
(1) Sections 364.0051 and 364.0102 of this code; and |
|
|
(2) Section 521.053, Business & Commerce Code, to the |
|
|
same extent as a person who conducts business in this state. |
|
|
SECTION 11. Subtitle C, Title 11, Local Government Code, is |
|
|
amended by adding Chapter 364 to read as follows: |
|
|
CHAPTER 364. LOCAL GOVERNMENT CYBERSECURITY AND EMERGENCY PLANNING |
|
|
AND RESPONSE |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 364.0001. DEFINITIONS. In this chapter: |
|
|
(1) "Breach of system security" has the meaning |
|
|
assigned by Section 521.053, Business & Commerce Code. |
|
|
(2) "Cybersecurity coordinator" means the state |
|
|
cybersecurity coordinator designated under Section 2054.511, |
|
|
Government Code. |
|
|
(3) "Cybersecurity council" means the council |
|
|
established by the cybersecurity coordinator under Section |
|
|
2054.512, Government Code. |
|
|
(4) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
SUBCHAPTER B. SECURITY BREACH NOTIFICATION |
|
|
Sec. 364.0051. NOTICE TO CYBERSECURITY COORDINATOR. Not |
|
|
later than 48 hours after a political subdivision discovers a |
|
|
breach or suspected breach of system security or an unauthorized |
|
|
exposure of sensitive personal information, the political |
|
|
subdivision shall notify the cybersecurity coordinator of the |
|
|
breach. The notification must describe the breach, suspected |
|
|
breach, or unauthorized exposure. |
|
|
Sec. 364.0052. REPORT TO DEPARTMENT OF INFORMATION |
|
|
RESOURCES. The cybersecurity coordinator shall report to the |
|
|
Department of Information Resources any breach of system security |
|
|
reported by a political subdivision in which the person responsible |
|
|
for the breach: |
|
|
(1) obtained or modified specific critical or |
|
|
sensitive personal information; |
|
|
(2) established access to the political subdivision's |
|
|
information systems or infrastructure; or |
|
|
(3) undermined, severely disrupted, or destroyed a |
|
|
core service, program, or function of the political subdivision, or |
|
|
placed the person in a position to do so in the future. |
|
|
Sec. 364.0053. RULEMAKING. The cybersecurity coordinator |
|
|
may adopt rules necessary to implement this subchapter. |
|
|
SUBCHAPTER C. EMERGENCY PLANNING AND RESPONSE |
|
|
Sec. 364.0101. MULTIHAZARD EMERGENCY OPERATIONS PLAN; |
|
|
SAFETY AND SECURITY AUDIT. (a) This section applies to a |
|
|
municipality or county with a population of more than 100,000. |
|
|
(b) Each municipality and county shall adopt and implement a |
|
|
multihazard emergency operations plan for use in the municipality's |
|
|
and county's facilities. The plan must address mitigation, |
|
|
preparedness, response, and recovery as determined by the |
|
|
cybersecurity council and the governor's public safety office. The |
|
|
plan must provide for: |
|
|
(1) municipal or county employee training in |
|
|
responding to an emergency; |
|
|
(2) measures to ensure coordination with the |
|
|
Department of State Health Services, Department of Information |
|
|
Resources, local emergency management agencies, law enforcement |
|
|
agencies, local health departments, and fire departments in the |
|
|
event of an emergency; and |
|
|
(3) the implementation of a safety and security audit |
|
|
as required by Subsection (c). |
|
|
(c) At least once every three years, each municipality and |
|
|
county shall conduct a safety and security audit of the |
|
|
municipality's or county's information technology infrastructure. |
|
|
To the extent possible, a municipality or county shall follow |
|
|
safety and security audit procedures developed by the cybersecurity |
|
|
council or a comparable public or private entity. |
|
|
(d) A municipality or county shall report the results of the |
|
|
safety and security audit conducted under Subsection (c): |
|
|
(1) to the municipality's or county's governing body; |
|
|
and |
|
|
(2) in the manner required by the cybersecurity |
|
|
council, to the cybersecurity council. |
|
|
(e) Except as provided by Subsection (f), any document or |
|
|
information collected, developed, or produced during a safety and |
|
|
security audit conducted under Subsection (c) is not subject to |
|
|
disclosure under Chapter 552, Government Code. |
|
|
(f) A document relating to a municipality's or county's |
|
|
multihazard emergency operations plan is subject to disclosure if |
|
|
the document enables a person to: |
|
|
(1) verify that the municipality or county has |
|
|
established a plan and determine the agencies involved in the |
|
|
development of the plan and the agencies coordinating with the |
|
|
municipality or county to respond to an emergency; |
|
|
(2) verify that the municipality's or county's plan |
|
|
was reviewed within the last 12 months and determine the specific |
|
|
review dates; |
|
|
(3) verify that the plan addresses the phases of |
|
|
emergency management under Subsection (b); |
|
|
(4) verify that municipal or county employees have |
|
|
been trained to respond to an emergency and determine the types of |
|
|
training, the number of employees trained, and the person |
|
|
conducting the training; |
|
|
(5) verify that the municipality or county has |
|
|
completed a safety and security audit under Subsection (c) and |
|
|
determine the date the audit was conducted, the person conducting |
|
|
the audit, and the date the municipality or county presented the |
|
|
results of the audit to the municipality's or county's governing |
|
|
body; and |
|
|
(6) verify that the municipality or county has |
|
|
addressed any recommendations by the municipality's or county's |
|
|
governing body for improvement of the plan and determine the |
|
|
municipality's or county's progress within the last 12 months. |
|
|
Sec. 364.0102. RANSOMWARE PAYMENTS PROHIBITED. (a) In |
|
|
this section, "ransomware" has the meaning assigned by Section |
|
|
33.023, Penal Code. |
|
|
(b) A political subdivision may not make a ransomware |
|
|
payment related to a ransomware cyber attack. |
|
|
(c) As soon as practicable after discovering a ransomware |
|
|
cyber attack, a political subdivision shall report the attack to |
|
|
the office of the attorney general and to the information sharing |
|
|
and analysis organization established by the Department of |
|
|
Information Resources under Sec. 2054.0594, Government Code. |
|
|
SECTION 12. Section 2155.092, Government Code, as added by |
|
|
this Act, applies only in relation to a contract for which a state |
|
|
agency first advertises or otherwise solicits bids, offers, |
|
|
proposals, or other expressions of interest on or after the |
|
|
effective date of this Act. |
|
|
SECTION 13. (a) Except as provided by Subsection (b) of |
|
|
this section, this Act takes effect September 1, 2021. |
|
|
(b) Section 364.0102, Local Government Code, as added by |
|
|
this Act, takes effect September 1, 2022. |