By: Jetton H.B. No. 2494
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to information security officers and network threat
  detection and response for state agencies.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 2054.133(b), Government Code, is amended
  to read as follows:
         (b)  In developing the plan, the state agency shall:
               (1)  consider any vulnerability report prepared under
  Section 2054.077 for the agency;
               (2)  incorporate the network security services
  provided by the department to the agency under Chapter 2059;
               (3)  identify and define the responsibilities of agency
  staff who produce, access, use, or serve as custodians of the
  agency's information;
               (4)  identify risk management and other measures taken
  to protect the agency's information from unauthorized access,
  disclosure, modification, or destruction;
               (5)  include:
                     (A)  the best practices for information security
  developed by the department; or
                     (B)  a written explanation of why the best
  practices are not sufficient for the agency's security; [and]
               (6)  omit from any written copies of the plan
  information that could expose vulnerabilities in the agency's
  network or online systems; and
               (7)  consider whether network threat detection and
  response solutions, that permit anonymized security reports to be
  shared among participating entities in as close to real time as
  possible, would enhance the plan and include those solutions as
  part of the plan as the agency determines appropriate.
         SECTION 2.  Section 2054.136, Government Code, is amended to
  read as follows:
         Sec. 2054.136.  DESIGNATED INFORMATION SECURITY OFFICER.
  Each state agency shall designate an information security officer
  who:
               (1)  acts independently of the agency in the
  performance of the officer's duties under this chapter and reports
  to the department on information security issues and to the
  agency's executive-level management on other issues;
               (2)  has authority over information security for the
  entire agency;
               (3)  possesses the training and experience required to
  perform the duties required by department rules; and
               (4)  to the extent feasible, has information security
  duties as the officer's primary duties.
         SECTION 3.  Sections 2054.512(d) and (e), Government Code,
  are amended to read as follows:
         (d)  The cybersecurity council shall:
               (1)  consider the costs and benefits of establishing a
  computer emergency readiness team to address cyber attacks
  occurring in this state during routine and emergency situations;
               (2)  establish criteria and priorities for addressing
  cybersecurity threats to critical state installations;
               (3)  consolidate and synthesize best practices to
  assist state agencies in understanding and implementing
  cybersecurity measures, including network threat detection and
  response solutions, that are most beneficial to this state; and
               (4)  assess the knowledge, skills, and capabilities of
  the existing information technology and cybersecurity workforce to
  mitigate and respond to cyber threats and develop recommendations
  for addressing immediate workforce deficiencies and ensuring a
  long-term pool of qualified applicants.
         (e)  The cybersecurity council shall provide recommendations
  to the legislature on any legislation necessary to implement
  cybersecurity best practices and remediation strategies for this
  state, including network threat detection and response solutions.
         SECTION 4.  Section 2054.518(a), Government Code, is amended
  to read as follows:
         (a)  The department shall develop a plan to address
  cybersecurity risks and incidents in this state.  The department
  may enter into an agreement with a national organization, including
  the National Cybersecurity Preparedness Consortium, to support the
  department's efforts in implementing the components of the plan for
  which the department lacks resources to address internally.  The
  agreement may include provisions for:
               (1)  providing technical assistance services to
  support preparedness for and response to cybersecurity risks and
  incidents;
               (2)  conducting cybersecurity simulation exercises for
  state agencies to encourage coordination in defending against and
  responding to cybersecurity risks and incidents;
               (3)  assisting state agencies in developing
  cybersecurity information-sharing programs to disseminate
  information related to cybersecurity risks and incidents; [and]
               (4)  incorporating cybersecurity risk and incident
  prevention and response methods into existing state emergency
  plans, including continuity of operation plans and incident
  response plans; and
               (5)  incorporating network threat detection and
  response solutions into state agency cybersecurity plans, that
  permit anonymized security reports to be shared among participating
  entities in as close to real time as possible, to assist state
  agencies with monitoring agency networks for security threats and
  responding to detected security threats.
         SECTION 5.  This Act takes effect September 1, 2023.