By: Paxton, et al. S.B. No. 1204
 
  (Capriglione)
 
   
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to state and local government information technology and
  information security.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 2054.003, Government Code, is amended by
  adding Subdivisions (11) and (11-a) to read as follows:
               (11)  "Peer-to-peer payment" means a transfer of funds
  using a peer-to-peer payment system.
               (11-a)  "Peer-to-peer payment system" means a digital
  non-credit card system used for transferring funds from one party
  to another.
         SECTION 2.  The heading to Section 2054.0594, Government
  Code, is amended to read as follows:
         Sec. 2054.0594.  INFORMATION SHARING AND ANALYSIS
  ORGANIZATIONS [ORGANIZATION].
         SECTION 3.  Section 2054.0594, Government Code, is amended
  by amending Subsections (a), (b), and (c) and adding Subsection
  (a-1) to read as follows:
         (a)  The department shall establish an intrastate
  information sharing and analysis organization to provide a forum
  for state agencies, local governments, public and private
  institutions of higher education, and [the] private sector entities
  in this state to share information regarding cybersecurity threats,
  best practices, and remediation strategies.
         (a-1)  The department may establish an interstate
  information sharing and analysis organization to provide a forum
  for states to share information regarding cybersecurity threats,
  best practices, and remediation strategies.
         (b)  The department shall provide administrative support to
  each [the] information sharing and analysis organization
  established under this section.
         (c)  A participant in an [the] information sharing and
  analysis organization established under this section shall assert
  any exception available under state or federal law, including
  Section 552.139, in response to a request for public disclosure of
  information shared through the organization. Section 552.007 does
  not apply to information described by this subsection.
         SECTION 4.  Section 2054.060, Government Code, is amended by
  adding Subsection (a-1) to read as follows:
         (a-1)  Unless expressly prohibited by other law or a rule
  adopted by the state agency, a state agency shall accept a digital
  signature included in any communication or payment electronically
  delivered to the state agency.
         SECTION 5.  The heading to Section 2054.068, Government
  Code, is amended to read as follows:
         Sec. 2054.068.  STATE AGENCY INFORMATION TECHNOLOGY
  INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT.
         SECTION 6.  Section 2054.068, Government Code, is amended by
  amending Subsections (b), (c), and (d) and adding Subsections
  (c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as
  follows:
         (b)  The department shall collect from each state agency
  information on the status and condition of the agency's information
  technology infrastructure, including [information regarding]:
               (1)  information on the agency's information security
  program;
               (2)  an inventory of the agency's servers, mainframes,
  cloud services, and other information technology equipment;
               (3)  identification information for [of] vendors that
  operate and manage the agency's information technology
  infrastructure; [and]
               (4)  the results of the information security assessment
  required by Section 2054.515; and
               (5)  any additional related information requested by
  the department.
         (c)  A state agency shall provide the information required by
  Subsection (b) to the department not later than June 1 of each
  even-numbered year [according to a schedule determined by the
  department].
         (c-1)  The department shall assign to each state agency,
  other than an institution of higher education, one of the following
  information security ratings based on the agency's information
  security risk profile:
               (1)  above average;
               (2)  average; or
               (3)  below average.
         (c-2)  In assigning an information security rating to a state
  agency under Subsection (c-1), the department shall consider:
               (1)  the information the agency provides under
  Subsection (b);
               (2)  the agency's comprehensive information security
  risk position relative to the agency's risk environment; and
               (3)  any additional document or information the
  department requests from the agency.
         (c-3)  The department:
               (1)  shall develop options and make recommendations for
  improvements in the information security maturity of any state
  agency assigned an information security rating of below average
  under Subsection (c-1); and
               (2)  may assist any state agency in determining whether
  additional security measures would increase the agency's
  information security maturity.
         (c-4)  The department may audit the information security and
  technology of any state agency assigned an information security
  rating under Subsection (c-1) or contract with a vendor to perform
  the audit. The department shall make available on request by any
  person listed in Subsection (d) the results of an audit conducted
  under this subsection.
         (d)  Not later than November 15 of each even-numbered year,
  the department shall submit to the governor, chair of the house
  appropriations committee, chair of the senate finance committee,
  speaker of the house of representatives, lieutenant governor, and
  staff of the Legislative Budget Board:
               (1)  a consolidated report of the information submitted
  by state agencies under Subsection (b); and
               (2)  any department recommendations relevant to and
  necessary for improving this state's information technology
  infrastructure and information security.
         (e-1)  The department shall compile a summary of the
  consolidated report required under Subsection (d) and make the
  summary available to the public. The summary may not disclose any
  confidential information.
         (e-2)  The consolidated report required under Subsection (d)
  and all information a state agency submits to substantiate or
  otherwise related to the report are confidential and not subject to
  disclosure under Chapter 552. The state agency or the department
  may redact or withhold information as confidential under Chapter
  552 without requesting a decision from the attorney general under
  Subchapter G, Chapter 552.
         (e-3)  Following review of the consolidated report, the
  Legislative Budget Board may direct the department to select for
  participation in a statewide technology center established under
  Subchapter L any state agency assigned an information security
  rating under Subsection (c-1). The department shall notify each
  selected state agency of the agency's selection as required by
  Section 2054.385. The department is not required to conduct the
  cost and requirements analysis under Section 2054.384 for a state
  agency selected for participation under this subsection. This
  subsection expires September 1, 2027.
         SECTION 7.  Subchapter C, Chapter 2054, Government Code, is
  amended by adding Section 2054.0692 to read as follows:
         Sec. 2054.0692.  GUIDANCE ON USE OF DISTRIBUTED LEDGER
  TECHNOLOGY. (a) The department shall develop and disseminate
  guidance for the use of distributed ledger technology, including
  blockchain, among state agencies.
         (b)  The guidance must include a framework or model for
  deciding if distributed ledger technology is appropriate for
  meeting a state agency's needs. The guidance may include:
               (1)  examples of potential uses of distributed ledger
  technology by an agency;
               (2)  sample procurement and contractual language; and
               (3)  information on educational resources for agencies
  on distributed ledger technology.
         SECTION 8.  Section 2054.095(b), Government Code, is amended
  to read as follows:
         (b)  Except as otherwise modified by the Legislative Budget
  Board or the governor, instructions under Subsection (a) must
  require each state agency's strategic plan to include:
               (1)  a description of the agency's information
  resources management organizations, policies, and practices,
  including the extent to which the agency uses its project
  management practices, as defined by Section 2054.152;
               (2)  a description of how the agency's information
  resources programs support and promote its mission, goals, and
  objectives and the goals and policies of the state strategic plan
  for information resources; [and]
               (3)  a description of customer service technology,
  including telephone systems and websites, that improves customer
  service performance; and
               (4)  other planning components that the department may
  prescribe.
         SECTION 9.  Section 2054.1115, Government Code, is amended
  by amending Subsection (a) and adding Subsection (c) to read as
  follows:
         (a)  A state agency or local government that uses the state
  electronic Internet portal may use electronic payment methods,
  including the acceptance of peer-to-peer payments, credit cards,
  and debit cards, for:
               (1)  point-of-sale transactions, including:
                     (A)  person-to-person transactions;
                     (B)  transactions that use an automated process to
  facilitate a person-to-person transaction; and
                     (C)  transactions completed by a person at an
  unattended self-standing computer station using an automated
  process;
               (2)  telephone transactions; or
               (3)  mail transactions.
         (c)  The department shall identify at least three commonly
  used peer-to-peer payment systems that provide for data privacy and
  financial security and post a list containing those systems in a
  conspicuous location on the department's Internet website. The
  department shall biennially review and, if necessary, update the
  list required under this subsection.
         SECTION 10.  Section 2054.136, Government Code, is amended
  to read as follows:
         Sec. 2054.136.  DESIGNATED INFORMATION SECURITY OFFICER.
  (a) Each state agency shall designate an information security
  officer who:
               (1)  reports to the agency's executive-level
  management;
               (2)  has authority over information security for the
  entire agency;
               (3)  possesses the training and experience required to
  perform the duties required by department rules; and
               (4)  to the extent feasible, has information security
  duties as the officer's primary duties.
         (b)  An employee designated under Subsection (a) may be
  designated to serve as a joint information security officer by two
  or more state agencies. The department must approve the joint
  designation.
         SECTION 11.  Subchapter L, Chapter 2054, Government Code, is
  amended by adding Section 2054.393 to read as follows:
         Sec. 2054.393.  MARKETING OF SERVICES. (a) Notwithstanding
  Section 2113.011 and subject to Subsection (b), the department may
  use appropriated money to market to state agencies and local
  governments shared information resources technology services
  offered by the department under this subchapter, including data
  center, disaster recovery, and cybersecurity services.
         (b)  An expenditure of money under this section must be
  approved by the executive director.
         SECTION 12.  The heading to Section 2054.515, Government
  Code, is amended to read as follows:
         Sec. 2054.515.  STATE AGENCY INFORMATION SECURITY
  ASSESSMENT [AND REPORT].
         SECTION 13.  Sections 2054.515(a), (c), and (d), Government
  Code, are amended to read as follows:
         (a)  At least once every two years, each state agency shall
  conduct an information security assessment of the agency's[:
               [(1)]  information resources systems, network systems,
  digital data storage systems, digital data security measures, and
  information resources vulnerabilities[; and
               [(2)  data governance program with participation from
  the agency's data management officer, if applicable, and in
  accordance with requirements established by department rule].
         (c)  Each state agency shall complete the information
  security assessment in consultation with the department or the
  vendor the department selects and submit the results of the
  assessment to the department in accordance with Section 2054.068(b)
  [The department by rule shall establish the requirements for the
  information security assessment and report required by this
  section].
         (d)  All [The report and all] documentation related to the
  information security assessment is [and report are] confidential
  and not subject to disclosure under Chapter 552. The state agency
  or department may redact or withhold the information as
  confidential under Chapter 552 without requesting a decision from
  the attorney general under Subchapter G, Chapter 552.
         SECTION 14.  Section 2054.577(c), Government Code, is
  amended to read as follows:
         (c)  Money in the fund:
               (1)  may be used to improve and modernize state agency
  information resources, including legacy system projects and
  cybersecurity projects; [and]
               (2)  may be used to mitigate a breach or suspected
  breach of system security, as defined by Section 521.053, Business &
  Commerce Code, or the introduction of ransomware, as defined by
  Section 33.023, Penal Code, into a computer, computer network, or
  computer system at a state agency;
               (3)  may not be used to replace money appropriated to a
  state agency for the purposes of operating and maintaining state
  agency information resources or reduce the amount of money
  appropriated to a state agency for those purposes; and
               (4)  may not be used to pay a person who commits the
  offense of electronic data tampering punishable under Section
  33.023, Penal Code.
         SECTION 15.  Chapter 2056, Government Code, is amended by
  adding Section 2056.0023 to read as follows:
         Sec. 2056.0023.  INFORMATION TECHNOLOGY MODERNIZATION PLAN.
  (a) As part of the strategic plan required under Section 2056.002,
  a state agency shall include an information technology
  modernization plan that outlines the manner in which the agency
  intends to transition its information technology and data-related
  services and capabilities into a more modern, integrated, secure,
  and effective technological environment.
         (b)  The Department of Information Resources may provide a
  template for the information technology modernization plan
  required by this section.
         SECTION 16.  The following provisions are repealed:
               (1)  Section 2054.068(f), Government Code; and
               (2)  Section 2054.515(b), Government Code, as amended
  by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th
  Legislature, Regular Session, 2021.
         SECTION 17.  The Department of Information Resources shall
  develop and disseminate the guidance and decision model required by
  Section 2054.0692, Government Code, as added by this Act, not later
  than December 1, 2023.
         SECTION 18.  This Act takes effect September 1, 2023.