BILL ANALYSIS

 

 

 

S.B. 1204

By: Paxton

State Affairs

Committee Report (Unamended)

 

 

 

BACKGROUND AND PURPOSE

 

There is a need to build off the recommendations and observations of the Joint Oversight Committee on Investment in Information Technology Improvement and Modernization Projects, the work group on blockchain matters, and the Biennial Performance Report of the Department of Information Resources. S.B. 1204 seeks to address this need by setting out and revising provisions relating to state and local government information technology and information security in order to improve the cybersecurity posture of state agencies, modernize state agency planning and tools, and facilitate better cybersecurity resource sharing.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

Information Sharing and Analysis Organizations

 

S.B. 1204 amends the Government Code to make the information sharing and analysis organization required to be established by the Department of Information Resources (DIR) an intrastate organization. The bill authorizes DIR to establish an interstate information sharing and analysis organization to provide a forum for states to share information regarding cybersecurity threats, best practices, and remediation strategies and extends the applicability of provisions relating to the intrastate organization to also apply to the interstate organization.

 

Digital Signatures 

 

S.B. 1204 requires an applicable state agency, unless expressly prohibited by law or a rule adopted by the state agency, to accept a digital signature included in any communication or payment electronically delivered to the state agency.

 

Information Security Assessments, Information Security Ratings, and Status and Condition of State Agency Information Technology Infrastructure

 

S.B. 1204 removes the requirement for DIR by rule to establish the requirements for a state agency's information security assessment. The bill removes the requirement that each state agency, at least once every two years, conduct an information security assessment of the agency's data governance program with participation from the agency's data management officer, if applicable, and in accordance with requirements established by DIR rule. The bill repeals provisions that require an agency to report the results of that assessment and of an information security assessment of the agency's information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities to DIR and, on request, the governor, the lieutenant governor, and the speaker of the house of representatives. The bill requires each state agency to complete the latter information security assessment in consultation with DIR or the vendor DIR selects and to submit the assessment's results to DIR in accordance with the bill's provisions.

 

S.B. 1204 includes the results of that information security assessment among the items DIR must collect from each state agency regarding information on the status and condition of the agency's information technology infrastructure. Whereas current law requires a state agency to provide such information to DIR in accordance with a DIR-determined schedule, the bill requires the information to be provided not later than June 1 of each even-numbered year. The bill requires DIR to assign to each applicable state agency, other than an institution of higher education, one of the following information security ratings based on the agency's information security risk profile:

ˇ         above average;

ˇ         average; or

ˇ         below average.

The bill requires DIR to consider the following in assigning an information security rating to a state agency:

ˇ         the information the agency provides regarding the status and condition of the agency's information technology infrastructure;

ˇ         the agency's comprehensive information security risk position relative to the agency's risk environment; and

ˇ         any additional document or information DIR requests from the agency.

The bill requires DIR to develop options and make recommendations for improvements in the information security maturity of any state agency assigned an information security rating of below average. The bill authorizes DIR to assist any state agency in determining whether additional security measures would increase the agency's information security maturity and to audit the information security and technology of any state agency assigned an information security rating or contract with a vendor to perform the audit. The bill requires DIR to make audit results available on request by any of the following persons:

ˇ         the governor;

ˇ         the chair of the house appropriations committee;

ˇ         the chair of the senate finance committee;

ˇ         the speaker of the house of representatives;

ˇ         the lieutenant governor; and

ˇ         Legislative Budget Board (LBB) staff.

The bill requires DIR, not later than November 15 of each even-numbered year, to submit to those listed persons any DIR recommendations relevant to and necessary for improving the state's information technology infrastructure and information security.

 

S.B. 1204 requires DIR to compile a summary of its biennial consolidated report of the information submitted by state agencies regarding the status and condition of agency information technology infrastructure and make the summary available to the public. The summary may not disclose any confidential information. The bill repeals provisions that make the consolidated report, with the exception of confidential information, public information; that require the report to be released or made available to the public on request; and that authorize an applicable governmental body to withhold confidential information that is contained in a released consolidated report without the necessity of requesting a decision from the attorney general. The bill instead makes the consolidated report and all information a state agency submits to substantiate or otherwise related to the report confidential and not subject to disclosure under state public information law. The bill authorizes a state agency or DIR to redact or withhold information as confidential under state public information law without requesting a decision from the attorney general.

 

S.B. 1204 authorizes the LBB, following review of the consolidated report, to direct DIR to select for participation in a statewide technology center any state agency assigned an information security rating. The bill requires DIR to notify each selected state agency of the agency's selection as required by applicable provisions and establishes that DIR is not required to conduct the cost and requirements analysis for a selected state agency. These provisions of the bill expire September 1, 2027.

 

Distributed Ledger Technology Guidance

 

S.B. 1204 requires DIR to develop and disseminate guidance for the use of distributed ledger technology, including blockchain, among state agencies. The bill requires the guidance to include a framework or model for deciding if distributed ledger technology is appropriate for meeting a state agency's needs and authorizes the guidance to include the following:

ˇ         examples of potential uses of distributed ledger technology by an agency;

ˇ         sample procurement and contractual language; and

ˇ         information on educational resources for agencies on distributed ledger technology.

The bill requires DIR to develop and disseminate the guidance and decision model not later than December 1, 2023.

 

State Agency Strategic Plans

 

S.B. 1204 requires DIR-prepared instructions for use by a state agency in preparing its operational strategic plan to require a plan to include, except as otherwise modified by the LLB or the governor, a description of customer service technology, including telephone systems and websites, that improves customer service performance. The bill requires a state agency, as part of its operational strategic plan, to include an information technology modernization plan that outlines the manner in which the agency intends to transition its information technology and data-related services and capabilities into a more modern, integrated, secure, and effective technological environment. The bill authorizes DIR to provide a template for such plan.

 

Peer-to-Peer Payments 

 

S.B. 1204 includes the acceptance of peer-to-peer payments as an electronic payment method that may be used for applicable transactions by a state agency or local government that uses the state electronic Internet portal. The bill requires DIR to identify at least three commonly used peer-to-peer payment systems that provide for data privacy and financial security and post a list containing those systems in a conspicuous location on its website. The bill requires DIR to biennially review and, if necessary, update the list. The bill defines the following:

ˇ         "peer-to-peer payment" as a transfer of funds using a peer-to-peer payment system; and

ˇ         "peer-to-peer payment system" as a digital non-credit card system used for transferring funds from one party to another.

 

Information Security Officer

 

S.B. 1204 authorizes a state agency employee designated as the agency's information security officer to be designated to serve as a joint information security officer by two or more state agencies. The bill requires DIR to approve the joint designation.

 

Use of Appropriated Money and the Technology Improvement and Modernization Fund

 

S.B. 1204 authorizes DIR to use appropriated money to market to applicable state agencies and local governments shared information resources technology services offered by DIR with regard to statewide technology centers, including data center, disaster recovery, and cybersecurity services. Such an expenditure of money must be approved by the DIR executive director.

 

S.B. 1204 provides that money in the technology improvement and modernization fund may be used to mitigate an applicable breach or suspected breach of system security or the introduction of applicable ransomware into a computer, computer network, or computer system at an applicable state agency. Money in the fund may not be used to pay a person who commits the offense of electronic data tampering.

 

Repealed Provisions

 

S.B. 1204 repeals the following provisions:

ˇ         Section 2054.068(f), Government Code; and

ˇ         Section 2054.515(b), Government Code, as amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th Legislature, Regular Session, 2021.

 

EFFECTIVE DATE

 

September 1, 2023.