| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to public school cybersecurity controls and requirements |
|
|
and technical assistance and cybersecurity risk assessments for |
|
|
public schools provided by the Department of Information Resources. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 11.175(c), Education Code, is amended to |
|
|
read as follows: |
|
|
(c) A school district's cybersecurity policy must comply |
|
|
with the cybersecurity controls and requirements adopted by the |
|
|
commissioner under Section 32.351 and may not conflict with the |
|
|
information security standards for institutions of higher |
|
|
education adopted by the Department of Information Resources under |
|
|
Chapters 2054 and 2059, Government Code. |
|
|
SECTION 2. Chapter 32, Education Code, is amended by adding |
|
|
Subchapter H to read as follows: |
|
|
SUBCHAPTER H. CYBERSECURITY |
|
|
Sec. 32.351. CYBERSECURITY CONTROLS AND REQUIREMENTS. (a) |
|
|
The commissioner shall adopt cybersecurity controls and |
|
|
requirements for school districts, open-enrollment charter |
|
|
schools, and district and school vendors in consultation with and |
|
|
as recommended by the Department of Information Resources. |
|
|
(b) Each school district and open-enrollment charter school |
|
|
shall implement the cybersecurity controls and requirements |
|
|
adopted by the commissioner under this section. |
|
|
(c) To implement this section, the agency may contract with: |
|
|
(1) a regional education service center; |
|
|
(2) a private entity; or |
|
|
(3) a regional network security center under |
|
|
Subchapter E, Chapter 2059, Government Code. |
|
|
(d) The commissioner shall adopt rules as necessary to |
|
|
implement this section. |
|
|
(e) Not later than September 1 of each even-numbered year, |
|
|
the commissioner shall review the rules adopted under this section |
|
|
and amend the rules as necessary to ensure that the cybersecurity |
|
|
controls and requirements continue to provide effective |
|
|
cybersecurity protection for school districts and open-enrollment |
|
|
charter schools. |
|
|
SECTION 3. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Sections 2054.0561 and 2054.0595 to read as |
|
|
follows: |
|
|
Sec. 2054.0561. TECHNICAL ASSISTANCE FOR PUBLIC SCHOOLS. |
|
|
(a) The department may provide technical assistance to school |
|
|
districts and open-enrollment charter schools regarding the |
|
|
implementation of cybersecurity controls, requirements, and |
|
|
network operations under Sections 11.175 and 32.351, Education |
|
|
Code. In providing technical assistance to districts and schools, |
|
|
the department may: |
|
|
(1) use services offered by third parties; |
|
|
(2) procure technology and services for districts and |
|
|
schools; |
|
|
(3) recommend to the Legislative Budget Board that |
|
|
school districts and open-enrollment charter schools migrate |
|
|
services to the State Data Center located on the campus of Angelo |
|
|
State University; and |
|
|
(4) use the services of a regional network security |
|
|
center established under Section 2059.202. |
|
|
(b) The department may adopt rules as necessary to |
|
|
implement this section. |
|
|
Sec. 2054.0595. CYBERSECURITY RISK ASSESSMENTS FOR PUBLIC |
|
|
SCHOOLS. The department may perform a cybersecurity risk |
|
|
assessment of a school district or open-enrollment charter school |
|
|
at the request of: |
|
|
(1) the commissioner of the Texas Education Agency; |
|
|
(2) the superintendent of the district or the person |
|
|
who serves the function of superintendent of the school, as |
|
|
applicable; or |
|
|
(3) the Texas Division of Emergency Management after a |
|
|
cybersecurity incident affecting the district or school. |
|
|
SECTION 4. Section 2059.058(b), Government Code, is amended |
|
|
to read as follows: |
|
|
(b) In addition to the department's duty to provide network |
|
|
security services to state agencies under this chapter, the |
|
|
department by agreement may provide network security to: |
|
|
(1) each house of the legislature; |
|
|
(2) an agency that is not a state agency, including a |
|
|
legislative agency; |
|
|
(3) a political subdivision of this state, including a |
|
|
county, municipality, or special district; |
|
|
(4) an independent organization, as defined by Section |
|
|
39.151, Utilities Code; [and] |
|
|
(5) a public junior college; and |
|
|
(6) an open-enrollment charter school established |
|
|
under Subchapter D, Chapter 12, Education Code. |
|
|
SECTION 5. Section 2059.201, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 2059.201. ELIGIBLE PARTICIPATING ENTITIES. A state |
|
|
agency or an entity listed in Sections 2059.058(b)(3)-(6) |
|
|
[2059.058(b)(3)-(5)] is eligible to participate in cybersecurity |
|
|
support and network security provided by a regional network |
|
|
security center under this subchapter. |
|
|
SECTION 6. Section 11.175(g), Education Code, as added by |
|
|
Chapter 1045 (S.B. 1267), Acts of the 87th Legislature, Regular |
|
|
Session, 2021, is repealed. |
|
|
SECTION 7. Not later than March 31, 2024, the Texas |
|
|
Education Agency and the Department of Information Resources shall |
|
|
adopt rules necessary to implement the changes in law made by this |
|
|
Act. |
|
|
SECTION 8. To the extent of any conflict, this Act prevails |
|
|
over another Act of the 88th Legislature, Regular Session, 2023, |
|
|
relating to nonsubstantive additions to and corrections in enacted |
|
|
codes. |
|
|
SECTION 9. This Act takes effect September 1, 2023. |