BILL ANALYSIS

 

 

Senate Research Center

C.S.S.B. 1204

88R20233 YDB-F

By: Paxton

 

Business & Commerce

 

4/4/2023

 

Committee Report (Substituted)

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

Last session, H.B. 4018 created the Joint Oversight Committee on Investment in Information Technology Improvement and Modernization Projects to review investment and funding strategies to modernize state agency technology infrastructure. 

 

The committee did not make specific legislative recommendations, but S.B. 1204 contains recommendations and observations that many of the committee members identified during the interim to enhance cybersecurity posture and better share network and endpoint security threats.

 

S.B. 1204 works to accomplish three main goals:

 

1.      Improve cybersecurity posture of the state agencies. S.B. 1204 will require an independent cybersecurity assessment of state agencies, which will provide the legislature next session with a more objective analysis of resource planning and an assessment of state agency risk. 

 

2.      Modernize state agency planning and tools. Agencies will be provided with additional tools for modernizing state systems, including peer-to-peer payment options, creating road maps to modernize their customer-facing systems, and new technology opportunities that can be integrated into their systems.

 

3.      Facilitate better cybersecurity resource sharing. This is accomplished through existing shared technology services, sharing threat analysis through information sharing and analysis organizations, and an option to appoint highly qualified chief information security officers across multiple agencies. 

 

C.S.S.B. 1204 amends current law relating to state and local government information technology and information security.

 

RULEMAKING AUTHORITY

 

Rulemaking authority previously granted to the Department of Information Resources is rescinded in SECTION 13 (Section 2054.515, Government Code) of this bill.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Section 2054.003, Government Code, by adding Subdivisions (11) and (11-a), to define "peer-to-peer payment" and "peer-to-peer payment system."

 

SECTION 2. Amends the heading to Section 2054.0594, Government Code, to read as follows:

 

Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS ORGANIZATIONS.

 

SECTION 3. Amends Section 2054.0594, Government Code, by amending Subsections (a), (b), and (c) and adding Subsection (a-1), as follows:

 

(a) Requires the Department of Information Resources (DIR) to establish an intrastate information sharing and analysis organization to provide a forum for state agencies, local governments, public and private institutions of higher education, and private sector entities in this state to share information regarding cybersecurity threats, best practices, and remediation strategies. Makes a nonsubstantive change.

 

(a-1) Authorizes DIR to establish an interstate information sharing and analysis organization to provide a forum for states to share information regarding cybersecurity threats, best practices, and remediation strategies.

 

(b) Requires DIR to provide administrative support to each information sharing and analysis organization established under this section. Makes a conforming change.

 

(c) Makes conforming changes to this subsection.

 

SECTION 4. Amends Section 2054.060, Government Code, by adding Subsection (a-1), as follows:

 

(a-1) Requires a state agency, unless expressly prohibited by other law or a rule adopted by the state agency, to accept a digital signature included in any communication or payment electronically delivered to the state agency.

 

SECTION 5. Amends the heading to Section 2054.068, Government Code, to read as follows:

 

Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT.

 

SECTION 6. Amends Section 2054.068, Government Code, by amending Subsections (b), (c), and (d) and adding Subsections (c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3), as follows:

 

(b) Requires DIR to collect from each state agency information on the status and condition of the agency's information technology infrastructure, including, rather than information regarding:

 

(1)-(3) makes nonsubstantive changes to these subdivisions;

 

(4) the results of the information security assessment required by Section 2054.515; and

 

(5) creates this subdivision from existing text.

 

(c) Requires a state agency to provide the information required by Subsection (b) to DIR not later than June 1 of each even-numbered year, rather than according to a schedule determined by DIR.

 

(c-1) Requires DIR to assign to each state agency that is not an institution of higher education one of the following information security ratings based on the agency's information security risk profile: above average; average; or below average.

 

(c-2) Requires DIR, in assigning an information security rating to a state agency under Subsection (c-1), to consider the information the agency provides under Subsection (b), the agency's comprehensive information security risk position relative to the agency's risk environment, and any additional document or information DIR requests from the agency.

 

(c-3) Provides that DIR is required to develop options and make recommendations for improvements in the information security maturity of any state agency assigned an information security rating of below average under Subsection (c-1) and is authorized to assist any state agency in determining whether additional security measures would increase the agency's information security maturity.

 

(c-4) Authorizes DIR to audit the information security and technology of any state agency assigned an information security rating under Subsection (c-1) or contract with a vendor to perform the audit. Requires DIR to make available on request by any person listed in Subsection (d) the results of an audit conducted under this subsection.

 

(d) Requires DIR, not later than November 15 of each even-numbered year, to submit to the governor, chair of the house appropriations committee, chair of the senate finance committee, speaker of the house of representatives, lieutenant governor, and staff of the Legislative Budget Board (LBB):

 

(1) creates this subdivision from existing text; and

 

(2) any DIR recommendations relevant to and necessary for improving this state's information technology infrastructure and information security.

 

(e-1) Requires DIR to compile a summary of the consolidated report required under Subsection (d) and make the summary available to the public. Prohibits the summary from disclosing any confidential information.

 

(e-2) Provides that the consolidated report required under Subsection (d) and all information a state agency submits to substantiate or otherwise related to the report are confidential and not subject to disclosure under Chapter 552 (Public Information). Authorizes the state agency or DIR to redact or withhold information as confidential under Chapter 552 without requesting a decision from the attorney general under Subchapter G (Attorney General Decisions), Chapter 552.

 

(e-3) Authorizes the LLB, following its review of the consolidated report, to direct DIR to select for participation in a statewide technology center established under Subchapter L (Statewide Technology Centers) any state agency assigned an information security rating under Subsection (c-1). Requires DIR to notify each selected state agency of the agency's selection as required by Section 2054.385 (Notice of Selection). Provides that DIR is not required to conduct the cost and requirements analysis under Section 2054.384 (Cost and Requirements Analysis) for a state agency selected for participation under this subsection. Provides that this subsection expires September 1, 2027.

 

SECTION 7. Amends Subchapter C, Chapter 2054, Government Code, by adding Section 2054.0692, as follows:

 

Sec. 2054.0692. GUIDANCE ON USE OF DISTRIBUTED LEDGER TECHNOLOGY. (a) Requires DIR to develop and disseminate guidance for the use of distributed ledger technology, including blockchain, among state agencies.

 

(b) Requires that the guidance include a framework or model for deciding if distributed ledger technology is appropriate for meeting a state agency's needs. Authorizes the guidance to include:

 

(1) examples of potential uses of distributed ledger technology by an agency;

 

(2) sample procurement and contractual language; and

 

(3) information on educational resources for agencies on distributed ledger technology.

 

SECTION 8. Amends Section 2054.095(b), Government Code, as follows:

 

(b) Requires that instructions under Subsection (a), except as otherwise modified by LBB or the governor, require each state agency's strategic plan to include:

 

(1) makes no changes to this subdivision;

 

(2) makes a nonsubstantive change to this subdivision;

 

(3) a description of customer service technology, including telephone systems and websites, that improves customer service performance; and

 

(4) creates this subdivision from existing text.

 

SECTION 9. Amends Section 2054.1115, Government Code, by amending Subsection (a) and adding Subsection (c), as follows:

 

(a) Authorizes a state agency or local government that uses the state electronic Internet portal to use electronic payment methods, including the acceptance of peer-to-peer payments, credit cards, and debit cards, for certain transactions.

 

(c) Requires DIR to identify the three most commonly used peer-to-peer payment systems and post a list containing those systems in a conspicuous location on DIR's Internet website. Requires DIR to biennially review and, if necessary, update the list required under this subsection.

 

SECTION 10. Amends Section 2054.136, Government Code, as follows:

 

Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER. (a) Requires each state agency to designate an information security officer who meets certain criteria.

 

(b) Authorizes an employee designated under Subsection (a) to be designated to serve as a joint information security officer by two or more state agencies. Requires DIR to approve the joint designation.

 

SECTION 11. Amends Subchapter L, Chapter 2054, Government Code, by adding Section 2054.393, as follows:

 

Sec. 2054.393. MARKETING OF SERVICES. (a) Authorizes DIR, notwithstanding Section 2113.011 (Publicity) and subject to Subsection (b), to use appropriated money to market to state agencies and local governments shared information resources technology services offered by DIR under this subchapter, including data center, disaster recovery, and cybersecurity services.

 

(b) Requires that an expenditure of money under this section be approved by the executive director of DIR.

 

SECTION 12. Amends the heading to Section 2054.515, Government Code, to read as follows:

 

Sec. 2054.515. STATE AGENCY INFORMATION SECURITY ASSESSMENT.

 

SECTION 13. Amends Sections 2054.515(a), (c), and (d), Government Code, as follows:

 

(a) Requires each state agency, at least once every two years, to conduct an information security assessment of the agency's information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities. Deletes existing text requiring each state agency, at least once every two years, to conduct an information security assessment of the agency's data governance program with participation from the agency's data management officer, if applicable, and in accordance with requirements established by DIR rule. Makes nonsubstantive changes.

 

(c) Requires each state agency to complete the information security assessment in consultation with DIR or the vendor DIR selects and submit the results of the assessment to DIR in accordance with Section 2054.068(b) (relating to requiring DIR to collect from each state agency information on the status and condition of the agency's information technology infrastructure, including certain information). Deletes existing text requiring DIR by rule to establish the requirements for the information security assessment and report required by this section.

 

(d) Provides that all documentation, rather than the report and all documentation, related to the information security assessment is confidential and not subject to disclosure under Chapter 552. Makes a conforming change.

 

SECTION 14. Amends Section 2054.577(c), Government Code, as follows:

 

(c) Provides that money in the fund:

 

(1) makes a nonsubstantive change to this subdivision;

 

(2) is authorized to be used to mitigate a breach or suspected breach of system security, as defined by Section 521.053 (Notification Required Following Breach of Security of Computerized Data), Business and Commerce Code, or the introduction of ransomware, as defined by Section 33.023 (Electronic Data Tampering), Penal Code, into a computer, computer network, or computer system at a state agency;

 

(3) makes a nonsubstantive change to this subdivision; and

 

(4) is prohibited from being used to pay a person who commits the crime of electronic data tampering punishable under Section 33.023, Penal Code.

 

SECTION 15. Amends Chapter 2056, Government Code, by adding Section 2056.0023, as follows:

 

Sec. 2056.0023. INFORMATION TECHNOLOGY MODERNIZATION PLAN. (a) Requires a state agency, as part of the strategic plan required under Section 2056.002 (Strategic Plans), to include an information technology modernization plan that outlines the manner in which the agency intends to transition its information technology and data-related services and capabilities into a more modern, integrated, secure, and effective technological environment.

 

(b) Authorizes DIR to provide a template for the information technology modernization plan required by this section.

 

SECTION 16. Repealers: Section 2054.068(f) (relating to providing that the consolidated report submitted is public information and is required to be released or made available to the public on request, with an exception), Government Code, and Section 2054.515(b) (relating to requiring the agency to report the results of the assessment), Government Code, as amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th Legislature, Regular Session, 2021.

 

SECTION 17. Requires DIR to develop and disseminate the guidance and decision model required by Section 2054.0692, Government Code, as added by this Act, not later than December 1, 2023.

 

SECTION 18. Effective date: September 1, 2023.