88R18451 ANG-D
	By: Buckley	H.B. No. 4944
	Substitute the following for H.B. No. 4944:
	By:  Buckley	C.S.H.B. No. 4944

	A BILL TO BE ENTITLED
	AN ACT
	relating to public school cybersecurity controls, student data
	privacy protection, and requirements and technical assistance and
	cybersecurity risk assessments for public schools provided by the
	Department of Information Resources.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  Section 11.175(c), Education Code, is amended to
	read as follows:
	(c)  A school district's cybersecurity policy must comply
	with the cybersecurity controls and requirements adopted by the
	commissioner under Section 32.351 and may not conflict with the
	information security standards for institutions of higher
	education adopted by the Department of Information Resources under
	Chapters 2054 and 2059, Government Code.
	SECTION 2.  Chapter 32, Education Code, is amended by adding
	Subchapters D-1 and H to read as follows:
	SUBCHAPTER D-1. PRIVACY OF STUDENT EDUCATION RECORDS
	Sec. 32.175.  PRIVACY OF STUDENT EDUCATION RECORDS. The
	agency, a school district, or an open-enrollment charter school, as
	applicable, shall protect the privacy of student education records
	in a manner that is at least as stringent as that provided under the
	Family Educational Rights and Privacy Act of 1974 (20 U.S.C.
	Section 1232g), as that law existed on January 1, 2023.
	SUBCHAPTER H.  CYBERSECURITY
	Sec. 32.351.  CYBERSECURITY CONTROLS AND REQUIREMENTS. (a)
	The commissioner shall adopt cybersecurity controls and
	requirements for school districts, open-enrollment charter
	schools, and district and school vendors in consultation with and
	as recommended by the Department of Information Resources.
	(b)  Each school district and open-enrollment charter school
	shall implement the cybersecurity controls and requirements
	adopted by the commissioner under this section.
	(c)  The agency may contract with the following entities to
	implement this section:
	(1)  a regional education service center;
	(2)  a private entity;
	(3)  the Department of Information Resources; or
	(4)  a regional network security center established
	under Subchapter E, Chapter 2059, Government Code.
	(d)  The commissioner shall adopt rules as necessary to
	implement this section.
	(e)  Not later than September 1 of each even-numbered year,
	the commissioner shall review the rules adopted under this section
	and amend the rules as necessary to ensure that the cybersecurity
	controls and requirements continue to provide effective
	cybersecurity protection for school districts and open-enrollment
	charter schools.
	SECTION 3.  Subchapter C, Chapter 2054, Government Code, is
	amended by adding Sections 2054.0561 and 2054.0595 to read as
	follows:
	Sec. 2054.0561.  TECHNICAL ASSISTANCE FOR PUBLIC SCHOOLS.
	(a)  The department may provide technical assistance to school
	districts and open-enrollment charter schools regarding the
	implementation of cybersecurity controls, requirements, and
	network operations under Sections 11.175 and 32.351, Education
	Code.  In providing technical assistance to districts and schools,
	the department may:
	(1)  use services offered by third parties;
	(2)  procure technology and services for districts and
	schools;
	(3)  recommend to the Legislative Budget Board that
	school districts and open-enrollment charter schools migrate
	services to the State Data Center located on the campus of Angelo
	State University; and
	(4)  use the services of a regional network security
	center established under Section 2059.202.
	(b)  The department may adopt rules as necessary to implement
	this section.
	Sec. 2054.0595.  CYBERSECURITY RISK ASSESSMENTS FOR PUBLIC
	SCHOOLS. The department may perform a cybersecurity risk
	assessment of a school district or open-enrollment charter school
	at the request of:
	(1)  the commissioner of education;
	(2)  the superintendent of the district or the person
	who serves the function of superintendent of the school, as
	applicable;
	(3)  the board of trustees of the district or the
	governing body of the school; or
	(4)  the state cybersecurity coordinator after a
	cybersecurity incident affecting the district or school.
	SECTION 4.  Section 2059.058(b), Government Code, is amended
	to read as follows:
	(b)  In addition to the department's duty to provide network
	security services to state agencies under this chapter, the
	department by agreement may provide network security to:
	(1)  each house of the legislature;
	(2)  an agency that is not a state agency, including a
	legislative agency;
	(3)  a political subdivision of this state, including a
	county, municipality, or special district;
	(4)  an independent organization, as defined by Section
	39.151, Utilities Code; [and]
	(5)  a public junior college;
	(6)  an open-enrollment charter school established
	under Subchapter D, Chapter 12, Education Code; and
	(7)  a regional education service center.
	SECTION 5.  Section 2059.201, Government Code, is amended to
	read as follows:
	Sec. 2059.201.  ELIGIBLE PARTICIPATING ENTITIES.  A state
	agency or an entity listed in Sections 2059.058(b)(3)-(7)
	[2059.058(b)(3)-(5)] is eligible to participate in cybersecurity
	support and network security provided by a regional network
	security center under this subchapter.
	SECTION 6.  Section 11.175(g), Education Code, as added by
	Chapter 1045 (S.B. 1267), Acts of the 87th Legislature, Regular
	Session, 2021, is repealed.
	SECTION 7.  Not later than March 31, 2024, the Texas
	Education Agency and the Department of Information Resources shall
	adopt rules necessary to implement the changes in law made by this
	Act.
	SECTION 8.  To the extent of any conflict, this Act prevails
	over another Act of the 88th Legislature, Regular Session, 2023,
	relating to nonsubstantive additions to and corrections in enacted
	codes.
	SECTION 9.  This Act takes effect September 1, 2023.