| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the requirements for the purchase of endpoint devices |
|
|
by a state agency. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subchapter N-1, Chapter 2054, Government Code, |
|
|
is amended by adding Section 2054.5193 to read as follows: |
|
|
Sec. 2054.5193. ENDPOINT DEVICE CYBERSECURITY. (a) In |
|
|
this section, "endpoint device" has the meaning assigned by Section |
|
|
2157.201. |
|
|
(b) The department may compile a list of endpoint devices |
|
|
that are approved for purchase by a state agency. An approved |
|
|
endpoint device must meet the: |
|
|
(1) guidelines and best practices for computer |
|
|
security issued by the National Institute of Standards and |
|
|
Technology of the United States Department of Commerce; |
|
|
(2) cybersecurity framework established by the |
|
|
National Institute of Standards and Technology of the United States |
|
|
Department of Commerce; and |
|
|
(3) supply chain risk management guidelines developed |
|
|
by the United States Department of Homeland Security. |
|
|
(c) The department shall update any list of approved |
|
|
endpoint devices the department issues under Subsection (b) not |
|
|
later than the first anniversary of the date of an amendment to a |
|
|
security standard described by Subsection (b). |
|
|
(d) The department may adopt rules to implement this |
|
|
section. |
|
|
SECTION 2. Chapter 2157, Government Code, is amended by |
|
|
adding Subchapter E to read as follows: |
|
|
SUBCHAPTER E. ENDPOINT SECURITY DEVICE |
|
|
Sec. 2157.201. DEFINITIONS. In this subchapter: |
|
|
(1) "Endpoint device" means personal computing goods |
|
|
and multi-functional devices. |
|
|
(2) "Multi-functional device" includes computer |
|
|
imaging devices that perform at least two of the following |
|
|
functions: |
|
|
(A) printing; |
|
|
(B) copying; |
|
|
(C) scanning; or |
|
|
(D) faxing. |
|
|
(3) "Personal computing goods" includes desktop |
|
|
computers, laptop computers, all-in-one computers, tablet |
|
|
computers, thin client computers, and computer monitors. |
|
|
(4) "State agency" means a board, commission, |
|
|
department, office, or other agency in the executive, legislative, |
|
|
or judicial branch of state government that is created by the |
|
|
constitution or a statute of this state. |
|
|
Sec. 2157.202. ENDPOINT DEVICE STANDARDS. (a) A state |
|
|
agency may purchase or lease an endpoint device only if the device |
|
|
meets the: |
|
|
(1) guidelines and best practices for computer |
|
|
security issued by the National Institute of Standards and |
|
|
Technology of the United States Department of Commerce; |
|
|
(2) cybersecurity framework established by the |
|
|
National Institute of Standards and Technology of the United States |
|
|
Department of Commerce; and |
|
|
(3) supply chain risk management guidelines developed |
|
|
by the United States Department of Homeland Security. |
|
|
(b) An endpoint device included on a list of approved |
|
|
endpoint security devices compiled under Section 2054.5193 |
|
|
satisfies the requirements of Subsection (a). |
|
|
SECTION 3. This Act takes effect immediately if it receives |
|
|
a vote of two-thirds of all the members elected to each house, as |
|
|
provided by Section 39, Article III, Texas Constitution. If this |
|
|
Act does not receive the vote necessary for immediate effect, this |
|
|
Act takes effect September 1, 2021. |