|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to state and local government information technology and |
|
information security. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 2054.003, Government Code, is amended by |
|
adding Subdivisions (11) and (11-a) to read as follows: |
|
(11) "Peer-to-peer payment" means a transfer of funds |
|
using a peer-to-peer payment system. |
|
(11-a) "Peer-to-peer payment system" means a digital |
|
non-credit card system used for transferring funds from one party |
|
to another. |
|
SECTION 2. The heading to Section 2054.0594, Government |
|
Code, is amended to read as follows: |
|
Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS |
|
ORGANIZATIONS [ORGANIZATION]. |
|
SECTION 3. Section 2054.0594, Government Code, is amended |
|
by amending Subsections (a), (b), and (c) and adding Subsection |
|
(a-1) to read as follows: |
|
(a) The department shall establish an intrastate |
|
information sharing and analysis organization to provide a forum |
|
for state agencies, local governments, public and private |
|
institutions of higher education, and [the] private sector entities |
|
in this state to share information regarding cybersecurity threats, |
|
best practices, and remediation strategies. |
|
(a-1) The department may establish an interstate |
|
information sharing and analysis organization to provide a forum |
|
for states to share information regarding cybersecurity threats, |
|
best practices, and remediation strategies. |
|
(b) The department shall provide administrative support to |
|
each [the] information sharing and analysis organization |
|
established under this section. |
|
(c) A participant in an [the] information sharing and |
|
analysis organization established under this section shall assert |
|
any exception available under state or federal law, including |
|
Section 552.139, in response to a request for public disclosure of |
|
information shared through the organization. Section 552.007 does |
|
not apply to information described by this subsection. |
|
SECTION 4. Section 2054.060, Government Code, is amended by |
|
adding Subsection (a-1) to read as follows: |
|
(a-1) Unless expressly prohibited by other law or a rule |
|
adopted by the state agency, a state agency shall accept a digital |
|
signature included in any communication or payment electronically |
|
delivered to the state agency. |
|
SECTION 5. The heading to Section 2054.068, Government |
|
Code, is amended to read as follows: |
|
Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY |
|
INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT. |
|
SECTION 6. Section 2054.068, Government Code, is amended by |
|
amending Subsections (b), (c), and (d) and adding Subsections |
|
(c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as |
|
follows: |
|
(b) The department shall collect from each state agency |
|
information on the status and condition of the agency's information |
|
technology infrastructure, including [information regarding]: |
|
(1) information on the agency's information security |
|
program; |
|
(2) an inventory of the agency's servers, mainframes, |
|
cloud services, and other information technology equipment; |
|
(3) identification information for [of] vendors that |
|
operate and manage the agency's information technology |
|
infrastructure; [and] |
|
(4) the results of the information security assessment |
|
required by Section 2054.515; and |
|
(5) any additional related information requested by |
|
the department. |
|
(c) A state agency shall provide the information required by |
|
Subsection (b) to the department not later than June 1 of each |
|
even-numbered year [according to a schedule determined by the |
|
department]. |
|
(c-1) The department shall assign to each state agency, |
|
other than an institution of higher education, one of the following |
|
information security ratings based on the agency's information |
|
security risk profile: |
|
(1) above average; |
|
(2) average; or |
|
(3) below average. |
|
(c-2) In assigning an information security rating to a state |
|
agency under Subsection (c-1), the department shall consider: |
|
(1) the information the agency provides under |
|
Subsection (b); |
|
(2) the agency's comprehensive information security |
|
risk position relative to the agency's risk environment; and |
|
(3) any additional document or information the |
|
department requests from the agency. |
|
(c-3) The department: |
|
(1) shall develop options and make recommendations for |
|
improvements in the information security maturity of any state |
|
agency assigned an information security rating of below average |
|
under Subsection (c-1); and |
|
(2) may assist any state agency in determining whether |
|
additional security measures would increase the agency's |
|
information security maturity. |
|
(c-4) The department may audit the information security and |
|
technology of any state agency assigned an information security |
|
rating under Subsection (c-1) or contract with a vendor to perform |
|
the audit. The department shall make available on request by any |
|
person listed in Subsection (d) the results of an audit conducted |
|
under this subsection. |
|
(d) Not later than November 15 of each even-numbered year, |
|
the department shall submit to the governor, chair of the house |
|
appropriations committee, chair of the senate finance committee, |
|
speaker of the house of representatives, lieutenant governor, and |
|
staff of the Legislative Budget Board: |
|
(1) a consolidated report of the information submitted |
|
by state agencies under Subsection (b); and |
|
(2) any department recommendations relevant to and |
|
necessary for improving this state's information technology |
|
infrastructure and information security. |
|
(e-1) The department shall compile a summary of the |
|
consolidated report required under Subsection (d) and make the |
|
summary available to the public. The summary may not disclose any |
|
confidential information. |
|
(e-2) The consolidated report required under Subsection (d) |
|
and all information a state agency submits to substantiate or |
|
otherwise related to the report are confidential and not subject to |
|
disclosure under Chapter 552. The state agency or the department |
|
may redact or withhold information as confidential under Chapter |
|
552 without requesting a decision from the attorney general under |
|
Subchapter G, Chapter 552. |
|
(e-3) Following review of the consolidated report, the |
|
Legislative Budget Board may direct the department to select for |
|
participation in a statewide technology center established under |
|
Subchapter L any state agency assigned an information security |
|
rating under Subsection (c-1). The department shall notify each |
|
selected state agency of the agency's selection as required by |
|
Section 2054.385. The department is not required to conduct the |
|
cost and requirements analysis under Section 2054.384 for a state |
|
agency selected for participation under this subsection. This |
|
subsection expires September 1, 2027. |
|
SECTION 7. Subchapter C, Chapter 2054, Government Code, is |
|
amended by adding Section 2054.0692 to read as follows: |
|
Sec. 2054.0692. GUIDANCE ON USE OF DISTRIBUTED LEDGER |
|
TECHNOLOGY. (a) The department shall develop and disseminate |
|
guidance for the use of distributed ledger technology, including |
|
blockchain, among state agencies. |
|
(b) The guidance must include a framework or model for |
|
deciding if distributed ledger technology is appropriate for |
|
meeting a state agency's needs. The guidance may include: |
|
(1) examples of potential uses of distributed ledger |
|
technology by an agency; |
|
(2) sample procurement and contractual language; and |
|
(3) information on educational resources for agencies |
|
on distributed ledger technology. |
|
SECTION 8. Section 2054.095(b), Government Code, is amended |
|
to read as follows: |
|
(b) Except as otherwise modified by the Legislative Budget |
|
Board or the governor, instructions under Subsection (a) must |
|
require each state agency's strategic plan to include: |
|
(1) a description of the agency's information |
|
resources management organizations, policies, and practices, |
|
including the extent to which the agency uses its project |
|
management practices, as defined by Section 2054.152; |
|
(2) a description of how the agency's information |
|
resources programs support and promote its mission, goals, and |
|
objectives and the goals and policies of the state strategic plan |
|
for information resources; [and] |
|
(3) a description of customer service technology, |
|
including telephone systems and websites, that improves customer |
|
service performance; and |
|
(4) other planning components that the department may |
|
prescribe. |
|
SECTION 9. Section 2054.1115, Government Code, is amended |
|
by amending Subsection (a) and adding Subsection (c) to read as |
|
follows: |
|
(a) A state agency or local government that uses the state |
|
electronic Internet portal may use electronic payment methods, |
|
including the acceptance of peer-to-peer payments, credit cards, |
|
and debit cards, for: |
|
(1) point-of-sale transactions, including: |
|
(A) person-to-person transactions; |
|
(B) transactions that use an automated process to |
|
facilitate a person-to-person transaction; and |
|
(C) transactions completed by a person at an |
|
unattended self-standing computer station using an automated |
|
process; |
|
(2) telephone transactions; or |
|
(3) mail transactions. |
|
(c) The department shall identify at least three commonly |
|
used peer-to-peer payment systems that provide for data privacy and |
|
financial security and post a list containing those systems in a |
|
conspicuous location on the department's Internet website. The |
|
department shall biennially review and, if necessary, update the |
|
list required under this subsection. |
|
SECTION 10. Section 2054.136, Government Code, is amended |
|
to read as follows: |
|
Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER. |
|
(a) Each state agency shall designate an information security |
|
officer who: |
|
(1) reports to the agency's executive-level |
|
management; |
|
(2) has authority over information security for the |
|
entire agency; |
|
(3) possesses the training and experience required to |
|
perform the duties required by department rules; and |
|
(4) to the extent feasible, has information security |
|
duties as the officer's primary duties. |
|
(b) An employee designated under Subsection (a) may be |
|
designated to serve as a joint information security officer by two |
|
or more state agencies. The department must approve the joint |
|
designation. |
|
SECTION 11. Subchapter L, Chapter 2054, Government Code, is |
|
amended by adding Section 2054.393 to read as follows: |
|
Sec. 2054.393. MARKETING OF SERVICES. (a) Notwithstanding |
|
Section 2113.011 and subject to Subsection (b), the department may |
|
use appropriated money to market to state agencies and local |
|
governments shared information resources technology services |
|
offered by the department under this subchapter, including data |
|
center, disaster recovery, and cybersecurity services. |
|
(b) An expenditure of money under this section must be |
|
approved by the executive director. |
|
SECTION 12. The heading to Section 2054.515, Government |
|
Code, is amended to read as follows: |
|
Sec. 2054.515. STATE AGENCY INFORMATION SECURITY |
|
ASSESSMENT [AND REPORT]. |
|
SECTION 13. Sections 2054.515(a), (c), and (d), Government |
|
Code, are amended to read as follows: |
|
(a) At least once every two years, each state agency shall |
|
conduct an information security assessment of the agency's[: |
|
[(1)] information resources systems, network systems, |
|
digital data storage systems, digital data security measures, and |
|
information resources vulnerabilities[; and |
|
[(2) data governance program with participation from |
|
the agency's data management officer, if applicable, and in |
|
accordance with requirements established by department rule]. |
|
(c) Each state agency shall complete the information |
|
security assessment in consultation with the department or the |
|
vendor the department selects and submit the results of the |
|
assessment to the department in accordance with Section 2054.068(b) |
|
[The department by rule shall establish the requirements for the |
|
information security assessment and report required by this |
|
section]. |
|
(d) All [The report and all] documentation related to the |
|
information security assessment is [and report are] confidential |
|
and not subject to disclosure under Chapter 552. The state agency |
|
or department may redact or withhold the information as |
|
confidential under Chapter 552 without requesting a decision from |
|
the attorney general under Subchapter G, Chapter 552. |
|
SECTION 14. Section 2054.577(c), Government Code, is |
|
amended to read as follows: |
|
(c) Money in the fund: |
|
(1) may be used to improve and modernize state agency |
|
information resources, including legacy system projects and |
|
cybersecurity projects; [and] |
|
(2) may be used to mitigate a breach or suspected |
|
breach of system security, as defined by Section 521.053, Business & |
|
Commerce Code, or the introduction of ransomware, as defined by |
|
Section 33.023, Penal Code, into a computer, computer network, or |
|
computer system at a state agency; |
|
(3) may not be used to replace money appropriated to a |
|
state agency for the purposes of operating and maintaining state |
|
agency information resources or reduce the amount of money |
|
appropriated to a state agency for those purposes; and |
|
(4) may not be used to pay a person who commits the |
|
offense of electronic data tampering punishable under Section |
|
33.023, Penal Code. |
|
SECTION 15. Chapter 2056, Government Code, is amended by |
|
adding Section 2056.0023 to read as follows: |
|
Sec. 2056.0023. INFORMATION TECHNOLOGY MODERNIZATION PLAN. |
|
(a) As part of the strategic plan required under Section 2056.002, |
|
a state agency shall include an information technology |
|
modernization plan that outlines the manner in which the agency |
|
intends to transition its information technology and data-related |
|
services and capabilities into a more modern, integrated, secure, |
|
and effective technological environment. |
|
(b) The Department of Information Resources may provide a |
|
template for the information technology modernization plan |
|
required by this section. |
|
SECTION 16. The following provisions are repealed: |
|
(1) Section 2054.068(f), Government Code; and |
|
(2) Section 2054.515(b), Government Code, as amended |
|
by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th |
|
Legislature, Regular Session, 2021. |
|
SECTION 17. The Department of Information Resources shall |
|
develop and disseminate the guidance and decision model required by |
|
Section 2054.0692, Government Code, as added by this Act, not later |
|
than December 1, 2023. |
|
SECTION 18. This Act takes effect September 1, 2023. |