| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to physical security and cybersecurity practices for |
|
|
certain utilities that provide electricity service and an |
|
|
independent organization certified to manage a power region. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. The heading to Subchapter B, Chapter 31, |
|
|
Utilities Code, is amended to read as follows: |
|
|
SUBCHAPTER B. PHYSICAL SECURITY AND CYBERSECURITY |
|
|
SECTION 2. The heading to Section 31.052, Utilities Code, |
|
|
is amended to read as follows: |
|
|
Sec. 31.052. PHYSICAL SECURITY AND CYBERSECURITY |
|
|
COORDINATION PROGRAM FOR UTILITIES. |
|
|
SECTION 3. Section 31.052(a), Utilities Code, is amended to |
|
|
read as follows: |
|
|
(a) The commission shall establish a program to monitor and |
|
|
support physical security and cybersecurity efforts among |
|
|
utilities in this state. The program shall: |
|
|
(1) provide guidance, technical assistance, and |
|
|
training on best practices in physical security and cybersecurity |
|
|
and facilitate the sharing of cybersecurity information between |
|
|
utilities; [and] |
|
|
(2) provide guidance, technical assistance, and |
|
|
training on best practices for physical security and cybersecurity |
|
|
controls for supply chain risk management of cybersecurity systems |
|
|
used by utilities, which may include, as applicable, best practices |
|
|
related to: |
|
|
(A) software integrity and authenticity; |
|
|
(B) vendor risk management and procurement |
|
|
controls, including notification by vendors of incidents related to |
|
|
the vendor's products and services; and |
|
|
(C) vendor remote access; |
|
|
(3) develop models, assessments, and auditing |
|
|
procedures for a utility to self-assess physical security and |
|
|
cybersecurity; and |
|
|
(4) provide opportunities for utilities to share with |
|
|
each other best practices for and information on physical security |
|
|
and cybersecurity. |
|
|
SECTION 4. Section 39.151(o), Utilities Code, is amended to |
|
|
read as follows: |
|
|
(o) An independent organization certified by the commission |
|
|
under this section shall: |
|
|
(1) conduct internal physical security and |
|
|
cybersecurity risk assessment, vulnerability testing, and employee |
|
|
training to the extent the independent organization is not |
|
|
otherwise required to do so under applicable state and federal |
|
|
physical security, cybersecurity, and information security laws; |
|
|
and |
|
|
(2) submit a report annually to the commission on the |
|
|
independent organization's compliance with applicable physical |
|
|
security, cybersecurity, and information security laws. |
|
|
SECTION 5. This Act takes effect immediately if it receives |
|
|
a vote of two-thirds of all the members elected to each house, as |
|
|
provided by Section 39, Article III, Texas Constitution. If this |
|
|
Act does not receive the vote necessary for immediate effect, this |
|
|
Act takes effect September 1, 2023. |