| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to state agency information technology infrastructure and |
|
|
information security assessments. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. The heading to Section 2054.068, Government |
|
|
Code, is amended to read as follows: |
|
|
Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY |
|
|
INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT. |
|
|
SECTION 2. Section 2054.068, Government Code, is amended by |
|
|
amending Subsections (b), (c), and (d) and adding Subsections |
|
|
(c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as |
|
|
follows: |
|
|
(b) The department shall collect from each state agency |
|
|
information on the status and condition of the agency's information |
|
|
technology infrastructure, including [information regarding]: |
|
|
(1) information on the agency's information security |
|
|
program; |
|
|
(2) an inventory of the agency's servers, mainframes, |
|
|
cloud services, and other information technology equipment; |
|
|
(3) identification information for [of] vendors that |
|
|
operate and manage the agency's information technology |
|
|
infrastructure; [and] |
|
|
(4) the information security assessment required by |
|
|
Section 2054.515; and |
|
|
(5) any additional related information requested by |
|
|
the department. |
|
|
(c) A state agency shall provide the information required by |
|
|
Subsection (b) to the department not later than August 31 of each |
|
|
even-numbered year [according to a schedule determined by the |
|
|
department]. |
|
|
(c-1) The department shall assign to each state agency that |
|
|
is not required to participate in a statewide technology center |
|
|
established under Subchapter L one of the following information |
|
|
security ratings based on the agency's information security risk |
|
|
profile: |
|
|
(1) above average; |
|
|
(2) average; or |
|
|
(3) below average. |
|
|
(c-2) In assigning an information security rating to a state |
|
|
agency under Subsection (c-1), the department shall consider: |
|
|
(1) the information the agency provides under |
|
|
Subsection (b); |
|
|
(2) the agency's comprehensive information security |
|
|
risk position relative to the agency's risk environment; and |
|
|
(3) any additional document or information the |
|
|
department requests from the agency. |
|
|
(c-3) The department: |
|
|
(1) shall develop options and make recommendations for |
|
|
improvements in the information security maturity of any state |
|
|
agency assigned an information security risk rating of below |
|
|
average under Subsection (c-1); and |
|
|
(2) may assist any state agency in determining whether |
|
|
additional security measures would increase the agency's |
|
|
information security maturity. |
|
|
(c-4) The department may audit the information security and |
|
|
technology of any state agency assigned an information security |
|
|
risk rating under Subsection (c-1) or contract with a vendor to |
|
|
perform the audit. The department shall make available on request |
|
|
by any person listed in Subsection (d) the results of an audit |
|
|
conducted under this subsection. |
|
|
(d) Not later than November 15 of each even-numbered year, |
|
|
the department shall submit to the governor, chair of the house |
|
|
appropriations committee, chair of the senate finance committee, |
|
|
speaker of the house of representatives, lieutenant governor, and |
|
|
staff of the Legislative Budget Board: |
|
|
(1) a consolidated report of the information submitted |
|
|
by state agencies under Subsection (b); and |
|
|
(2) any department recommendations relevant to and |
|
|
necessary for improving this state's information technology |
|
|
infrastructure and information security. |
|
|
(e-1) The department shall compile a summary of the |
|
|
consolidated report required under Subsection (d) and make the |
|
|
summary available to the public. The summary may not disclose any |
|
|
confidential information. |
|
|
(e-2) The consolidated report required under Subsection (d) |
|
|
and all information a state submits to substantiate or otherwise |
|
|
related to the report are confidential and not subject to |
|
|
disclosure under Chapter 552. The agency or department may redact |
|
|
or withhold information as confidential under Chapter 552 without |
|
|
requesting a decision from the attorney general under Subchapter G, |
|
|
Chapter 552. |
|
|
(e-3) Following review of the consolidated report, the |
|
|
Joint Oversight Committee on Investment in Information Technology |
|
|
Improvement and Modernization Projects established under Section |
|
|
2054.578 may recommend that the legislature, through a concurrent |
|
|
resolution approved by a majority of the members of each house of |
|
|
the legislature, direct the department to select for participation |
|
|
in a statewide technology center established under Subchapter L any |
|
|
state agency assigned an information security rating under |
|
|
Subsection (c-1). The department shall notify each selected state |
|
|
agency of the agency's selection as required by Section 2054.385. |
|
|
The department is not required to conduct the cost and requirements |
|
|
analysis under Section 2054.384 for a state agency selected for |
|
|
participation under this subsection. This subsection expires |
|
|
September 1, 2027. |
|
|
SECTION 3. The heading to Section 2054.515, Government |
|
|
Code, is amended to read as follows: |
|
|
Sec. 2054.515. STATE AGENCY INFORMATION SECURITY |
|
|
ASSESSMENT [AND REPORT]. |
|
|
SECTION 4. Sections 2054.515(a), (c), and (d), Government |
|
|
Code, are amended to read as follows: |
|
|
(a) At least once every two years, each state agency shall |
|
|
conduct an information security assessment of the agency's[: |
|
|
[(1)] information resources systems, network systems, |
|
|
digital data storage systems, digital data security measures, and |
|
|
information resources vulnerabilities[; and |
|
|
[(2) data governance program with participation from |
|
|
the agency's data management officer, if applicable, and in |
|
|
accordance with requirements established by department rule]. |
|
|
(c) Each state agency shall complete the information |
|
|
security assessment in consultation with the [The] department or |
|
|
the vendor the department selects and submit the assessment to the |
|
|
department in accordance with Section 2054.068(b) [by rule shall |
|
|
establish the requirements for the information security assessment |
|
|
and report required by this section]. |
|
|
(d) All [The report and all] documentation related to the |
|
|
information security assessment is [and report are] confidential |
|
|
and not subject to disclosure under Chapter 552. The state agency |
|
|
or department may redact or withhold the information as |
|
|
confidential under Chapter 552 without requesting a decision from |
|
|
the attorney general under Subchapter G, Chapter 552. |
|
|
SECTION 5. The following provisions are repealed: |
|
|
(1) Section 2054.068(f), Government Code; and |
|
|
(2) Section 2054.515(b), Government Code, as amended |
|
|
by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th |
|
|
Legislature, Regular Session, 2021. |
|
|
SECTION 6. This Act takes effect September 1, 2023. |