88R2127 JCG-D
 
  By: Campbell S.B. No. 2377
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to homeland security, including the creation of the Texas
  Homeland Security Division in the Department of Public Safety, the
  operations of the Homeland Security Council, the creation of a
  homeland security fusion center, and the duties of state agencies
  and local governments in preparing for, reporting, and responding
  to cybersecurity breaches; providing administrative penalties;
  creating criminal offenses.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  (a) The legislature finds that the federal
  government's inadequate border security measures, the trafficking
  of fentanyl across the borders of this state, Central America's
  turn towards authoritarian regimes, China's hostile rhetoric
  regarding Taiwan, and Russia's invasion of Ukraine create an
  ever-changing threat landscape to the security of this state.
         (b)  Due to these continuous threats, this state must
  continue taking serious measures to secure its critical
  infrastructure, cyber networks, and border and monitor security
  threats from hostile nations and non-state actors.
         (c)  These present and future threats require this state to
  create a unified security organization under the Department of
  Public Safety of the State of Texas whose sole mission is to
  safeguard the people and infrastructure that make this state great.
         (d)  The Texas Homeland Security Division, as established by
  this Act, will unify this state's security responsibilities into
  one entity that reports directly to the governor and the public
  safety director of the Department of Public Safety of the State of
  Texas.
         SECTION 2.  Chapter 411, Government Code, is amended by
  adding Subchapter S to read as follows:
  SUBCHAPTER S. TEXAS HOMELAND SECURITY DIVISION
         Sec. 411.551.  DEFINITIONS. In this subchapter:
               (1)  "Division" means the Texas Homeland Security
  Division established in the department under this subchapter.
               (2)  "Division director" means the director of the
  Texas Homeland Security Division appointed under this subchapter.
         Sec. 411.552.  ESTABLISHMENT; DIRECTOR; EMPLOYEES. (a) The
  Texas Homeland Security Division is established in the department.
         (b)  Notwithstanding Section 411.006(a)(6), the public
  safety director shall appoint, with the advice and consent of the
  governor, a homeland security director to manage the division.
         (c)  The division director may hire employees as necessary to
  carry out the duties of the division.
         Sec. 411.553.  GENERAL DUTIES. The division shall, in
  consultation with the governor:
               (1)  develop and implement strategic homeland security
  operations; and
               (2)  unify governmental activities and
  responsibilities related to homeland security under the direction
  of the division.
         Sec. 411.554.  BORDER SECURITY: INTELLIGENCE. (a) The
  division shall coordinate with the Texas Military Department, state
  and local law enforcement agencies, federal agencies, and any other
  entity the division determines appropriate to secure the
  international border.
         (b)  In coordinating with the entities described by
  Subsection (a), the division shall:
               (1)  collect, analyze, and provide intelligence for
  each major operation to secure the international border, including
  consulting with the Texas Military Department and other appropriate
  agencies that collect, analyze, or provide intelligence to the
  governor, the department, and other entities deployed on major
  operations;
               (2)  make recommendations on essential tasks and
  desired results for each element of a major operation;
               (3)  provide augmented equipment and personnel for a
  major operation; and
               (4)  conduct periodic internal reviews of
  interoperability among agencies deployed on a major operation and
  make available reports on subsequent efforts to improve
  interoperability.
         (c)  Each month, the division shall provide a report to the
  governor on the major operations conducted by this state to secure
  the international border.
         Sec. 411.555.  BORDER SECURITY: GRANT RECOMMENDATIONS. The
  division shall advise the criminal justice division of the
  governor's office on the allocation of grants under the prosecution
  of border crime grant program established under Section 772.0071.
         Sec. 411.556.  CRITICAL INFRASTRUCTURE AND POWER GRID. (a)
  The division shall coordinate with federal, state, and local
  agencies, and any other entity the division determines appropriate,
  to protect the critical infrastructure of this state and the ERCOT
  power grid from remote and physical attacks, including:
               (1)  oil and gas infrastructure, including:
                     (A)  oil, gas, and chemical pipelines;
                     (B)  oil and gas drilling sites; and
                     (C)  oil, gas, and chemical production
  facilities;
               (2)  electrical power generating facilities,
  substations, switching stations, and electrical control centers;
               (3)  petroleum and alumina refineries and chemical,
  polymer, and rubber manufacturing facilities; and
               (4)  water intake structures, water treatment
  facilities, wastewater treatment plants, and pump stations.
         (b)  In coordinating the efforts of this state to secure
  critical infrastructure and the ERCOT power grid, the division
  shall cooperate with the Cybersecurity and Infrastructure Security
  Agency, the United States Department of Energy, and the Homeland
  Security Fusion Center.
         Sec. 411.557.  CRITICAL INFRASTRUCTURE: INVESTIGATION OF
  CERTAIN PURCHASES. The division shall investigate any purchases of
  substantial portions of land or infrastructure in this state by a
  designated country, as that term is defined by Section 2274.0101,
  as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature,
  Regular Session, 2021.
         Sec. 411.558.  PROHIBITED EQUIPMENT REPORTS. At least
  annually, the division shall issue a report to the governor,
  lieutenant governor, members of the legislature, and all state
  agencies identifying equipment that the United States Department of
  Defense has prohibited entities that contract with the department
  of defense from using.
         Sec. 411.559.  CYBERSECURITY: WEBSITE FOR REPORTING THREATS
  AND ATTACKS. The division shall develop a secure Internet website
  that is accessible by state agencies and local governments and
  permits those entities to report to the division suspected
  cybersecurity threats and attacks against those entities.
         Sec. 411.560.  BUDGET REQUESTS. (a) Not later than April 1
  of each even-numbered year, the division director shall submit to
  the public safety director a request for appropriations that
  estimates the cost of the division's operations.
         (b)  A request for appropriations described by Subsection
  (a) may not be aggregated with any other appropriation request made
  by the department when the request is submitted to a legislative
  committee with jurisdiction over appropriations.
         SECTION 3.  Section 421.021, Government Code, is amended by
  adding Subsection (a-1) to read as follows:
         (a-1)  The Homeland Security Council is composed of:
               (1)  the governor or the governor's designee;
               (2)  the lieutenant governor or the lieutenant
  governor's designee;
               (3)  the director of the Texas Homeland Security
  Division of the Department of Public Safety; and
               (4)  other persons appointed by the governor or
  lieutenant governor.
         SECTION 4.  Section 421.023, Government Code, is amended by
  amending Subsections (c) and (d) and adding Subsection (f) to read
  as follows:
         (c)  The governor shall designate the director of the Texas
  Homeland Security Division of the Department of Public Safety as
  the presiding officer of the council.
         (d)  The council shall meet at the call of the presiding
  officer [governor] and shall meet at least once each quarter in a
  calendar year.
         (f)  The presiding officer shall appoint a secretary, who may
  be a member of the council, to record meeting minutes and
  attendance.
         SECTION 5.  Section 421.024, Government Code, is amended to
  read as follows:
         Sec. 421.024.  DUTIES. The council shall advise the
  governor on:
               (1)  the implementation of the governor's homeland
  security strategy by state and local agencies and provide specific
  suggestions for helping those agencies implement the strategy;
  [and]
               (2)  recommendations from the Texas Homeland Security
  Division of the Department of Public Safety on improving the
  security of this state; and
               (3)  other matters related to the planning,
  development, coordination, and implementation of initiatives to
  promote the governor's homeland security strategy.
         SECTION 6.  Chapter 421, Government Code, is amended by
  adding Subchapter E-1 to read as follows:
  SUBCHAPTER E-1. HOMELAND SECURITY FUSION CENTER
         Sec. 421.0901.  DEFINITIONS. In this subchapter:
               (1)  "Board" means the oversight board of the homeland
  security fusion center.
               (2)  "Director" means the director of the Texas
  Homeland Security Division of the Department of Public Safety.
         Sec. 421.0902.  HOMELAND SECURITY FUSION CENTER. (a) From
  funds available for this purpose, the director may:
               (1)  establish the homeland security fusion center; and
               (2)  hire employees to operate the homeland security
  fusion center.
         (b)  The homeland security fusion center shall:
               (1)  collect, receive, generate, and disseminate
  intelligence critical for homeland security policy and homeland
  security activities in this state, including the issuance of
  relevant threat warnings;
               (2)  promote and improve intelligence sharing:
                     (A)  among public safety and public service
  agencies at the federal, state, local, and tribal levels; and
                     (B)  with entities in the private sector operating
  critical infrastructure and other key resources;
               (3)  otherwise support federal, state, local, and
  tribal agencies and private organizations in preventing, preparing
  for, responding to, and recovering from homeland security threats
  and attacks; and
               (4)  maintain intelligence collected, received, or
  generated in compliance with applicable state and federal law and
  in a secure manner, including:
                     (A)  providing appropriate security for a
  facility that contains sensitive information;
                     (B)  compartmentalizing sensitive information;
  and
                     (C)  adopting appropriate internal procedures for
  the security of the facility and the information.
         Sec. 421.0903.  OVERSIGHT BOARD; QUALIFICATIONS; RULES. (a)
  If the homeland security fusion center is established under Section
  421.0902, there is also established an oversight board that shall
  govern the operations of the homeland security fusion center.
         (b)  The board is composed of:
               (1)  the director;
               (2)  the adjutant general; and
               (3)  other persons appointed by the director.
         (c)  The director serves as the chair of the board and the
  adjutant general serves as the vice chair.
         (d)  A member of the board must have and maintain a secret
  security clearance granted by the United States government. A
  person who has applied for a secret security clearance and has been
  granted an interim secret security clearance may serve as a member
  of the board but may not be given access to classified information,
  participate in a briefing involving classified information, or vote
  on an issue involving classified information before the person is
  granted a secret security clearance.
         (e)  The board may adopt rules, policies, and procedures for
  the operation of the homeland security fusion center.
         Sec. 421.0904.  GIFTS, GRANTS, AND DONATIONS; DEDICATED
  ACCOUNT. (a) The homeland security fusion center may accept gifts,
  grants, and donations of any kind from any public or private source,
  including services or property, for the purpose of paying the costs
  to establish, maintain, or operate the homeland security fusion
  center.
         (b)  The homeland security fusion center shall remit all
  amounts received under this section to the comptroller. The
  comptroller shall deposit the amounts to the credit of an account in
  the general revenue fund that may be appropriated only to the
  Department of Public Safety to provide funding for establishing,
  maintaining, or operating the homeland security fusion center.
         (c)  The board must approve expenditures made for the
  purposes described by Subsection (b).
         Sec. 421.0905.  ADMINISTRATIVE SUPPORT. The Texas Homeland
  Security Division of the Department of Public Safety shall provide
  administrative support for the homeland security fusion center and
  the board, including securely maintaining the records of the board.
         SECTION 7.  Section 2054.077(d), Government Code, is amended
  to read as follows:
         (d)  The information security officer shall provide an
  electronic copy of the vulnerability report on its completion to:
               (1)  the Texas Homeland Security Division of the
  Department of Public Safety;
               (2)  the department;
               (3) [(2)]  the state auditor;
               (4) [(3)]  the agency's executive director;
               (5) [(4)]  the agency's designated information
  resources manager; and
               (6) [(5)]  any other information technology security
  oversight group specifically authorized by the legislature to
  receive the report.
         SECTION 8.  Section 2054.1125, Government Code, is amended
  by amending Subsection (b) and adding Subsections (d) and (e) to
  read as follows:
         (b)  A state agency that owns, licenses, or maintains
  computerized data that includes sensitive personal information,
  confidential information, or information the disclosure of which is
  regulated by law shall, in the event of a breach or suspected breach
  of system security or an unauthorized exposure of that information:
               (1)  comply with the notification requirements of
  Section 521.053, Business & Commerce Code, to the same extent as a
  person who conducts business in this state; and
               (2)  not later than 48 hours after the discovery of the
  breach, suspected breach, or unauthorized exposure, notify:
                     (A)  the Texas Homeland Security Division of the
  Department of Public Safety;
                     (B)  the department, including the chief
  information security officer; and
                     (C)  [or (B)] if the breach, suspected breach, or
  unauthorized exposure involves election data, the secretary of
  state.
         (d)  The Texas Homeland Security Division of the Department
  of Public Safety shall notify the governor of any breach or
  suspected breach reported to the division under this section.
         (e)  The administrative head of a state agency commits an
  offense if the person intentionally or knowingly fails to notify
  the Texas Homeland Security Division of the Department of Public
  Safety of a breach, suspected breach, or unauthorized exposure, as
  required by Subsection (b)(2)(A). An offense under this subsection
  is a Class C misdemeanor.
         SECTION 9.  Section 2054.133(f), Government Code, is amended
  to read as follows:
         (f)  Not later than November 15 of each even-numbered year,
  the department shall submit a written report to the governor, the
  lieutenant governor, and each standing committee of the legislature
  with primary jurisdiction over matters related to the department
  evaluating information security for this state's information
  resources. In preparing the report, the department shall consider
  the information security plans submitted by state agencies under
  this section, any vulnerability reports submitted under Section
  2054.077, any relevant information provided by the Texas Homeland
  Security Division of the Department of Public Safety, and other
  available information regarding the security of this state's
  information resources. The department shall omit from any written
  copies of the report information that could expose specific
  vulnerabilities in the security of this state's information
  resources.
         SECTION 10.  Section 2054.511, Government Code, is amended
  to read as follows:
         Sec. 2054.511.  CYBERSECURITY COORDINATOR. (a) The
  executive director shall designate an employee of the department as
  the state cybersecurity coordinator to oversee cybersecurity
  matters for this state.
         (b)  The director of the Texas Homeland Security Division of
  the Department of Public Safety and the cybersecurity coordinator
  shall jointly improve the efficacy and efficiency of this state's
  response to and investigations of cyber attacks occurring in this
  state.
         SECTION 11.  Section 2054.512(b), Government Code, is
  amended to read as follows:
         (b)  The cybersecurity council must include:
               (1)  one member who is an employee of the office of the
  governor;
               (2)  one member of the senate appointed by the
  lieutenant governor;
               (3)  one member of the house of representatives
  appointed by the speaker of the house of representatives;
               (4)  the director of the Texas Homeland Security
  Division of the Department of Public Safety;
               (5)  one member who is an employee of the Elections
  Division of the Office of the Secretary of State; and
               (6) [(5)]  additional members appointed by the state
  cybersecurity coordinator, including representatives of
  institutions of higher education and private sector leaders.
         SECTION 12.  Section 2054.515(b), Government Code, as
  amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the
  87th Legislature, Regular Session, 2021, is reenacted and amended
  to read as follows:
         (b)  Not later than December 1 of the year [November 15 of
  each even-numbered year] in which a state agency conducts the
  assessment under Subsection (a) or the 60th day after the date the
  agency completes the assessment, whichever occurs first, the agency
  shall report the results of the assessment to:
               (1)  the Texas Homeland Security Division of the
  Department of Public Safety;
               (2)  the department; and
               (3) [(2)]  on request, the governor, the lieutenant
  governor, and the speaker of the house of representatives.
         SECTION 13.  Section 2054.518(a), Government Code, is
  amended to read as follows:
         (a)  In consultation with the Texas Homeland Security
  Division of the Department of Public Safety, the [The] department
  shall develop a plan to address cybersecurity risks and incidents
  in this state. The department may enter into an agreement with a
  national organization, including the National Cybersecurity
  Preparedness Consortium, to support the department's efforts in
  implementing the components of the plan for which the department
  lacks resources to address internally. The agreement may include
  provisions for:
               (1)  providing technical assistance services to
  support preparedness for and response to cybersecurity risks and
  incidents;
               (2)  conducting cybersecurity simulation exercises for
  state agencies to encourage coordination in defending against and
  responding to cybersecurity risks and incidents;
               (3)  assisting state agencies in developing
  cybersecurity information-sharing programs to disseminate
  information related to cybersecurity risks and incidents; and
               (4)  incorporating cybersecurity risk and incident
  prevention and response methods into existing state emergency
  plans, including continuity of operation plans and incident
  response plans.
         SECTION 14.  Subchapter F, Chapter 2270, Government Code, is
  amended by adding Section 2270.0254 to read as follows:
         Sec. 2270.0254.  ADMINISTRATIVE PENALTY. The Department of
  Public Safety may impose an administrative penalty in the same
  manner and using the same procedures as Subchapter R, Chapter 411,
  against a person who violates this chapter.
         SECTION 15.  Chapter 2274, Government Code, as added by
  Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular
  Session, 2021, is amended by adding Section 2274.0104 to read as
  follows:
         Sec. 2274.0104.  ADMINISTRATIVE PENALTY. The Department of
  Public Safety may impose an administrative penalty in the same
  manner and using the same procedures as Subchapter R, Chapter 411,
  against a person who violates this chapter.
         SECTION 16.  Section 205.010(a), Local Government Code, is
  amended by adding Subdivision (1-a) to read as follows:
               (1-a)  "Local government" means a municipality,
  county, special district or authority, or any other political
  subdivision of this state.
         SECTION 17.  Section 205.010, Local Government Code, is
  amended by adding Subsections (c), (d), and (e) to read as follows:
         (c)  In addition to notifying the attorney general under
  Section 521.053, Business & Commerce Code, of a breach of system
  security, the local government shall report the breach to the Texas
  Homeland Security Division of the Department of Public Safety. The
  division shall notify the governor of a breach of system security
  reported to the division under this section.
         (d)  Not later than the 10th business day after the date of
  the eradication, closure, and recovery from a breach, a local
  government shall notify the Department of Information Resources,
  including the chief information security officer, of the details of
  the event and include in the notification an analysis of the cause
  of the event.
         (e)  The administrative head of a local government commits an
  offense if the person intentionally or knowingly fails to notify
  the Texas Homeland Security Division of the Department of Public
  Safety of a breach of system security as required by Subsection (c).
  An offense under this subsection is a Class C misdemeanor.
         SECTION 18.  (a) Section 421.021(a), Government Code, as
  amended by Chapters 93 (S.B. 686), 616 (S.B. 1393), and 1217 (S.B.
  1536), Acts of the 83rd Legislature, Regular Session, 2013, is
  repealed.
         (b)  Section 421.021(c), Government Code, is repealed.
         SECTION 19.  As soon as practicable after the Texas Homeland
  Security Division of the Department of Public Safety of the State of
  Texas is established, the division shall notify each state agency
  and local government of the requirements to notify the division of a
  breach of system security under Section 2054.1125, Government Code,
  as amended by this Act, and Section 205.010, Local Government Code,
  as amended by this Act, including the criminal penalties that may be
  imposed for failure to comply with those requirements.
         SECTION 20.  It is the intent of the 88th Legislature,
  Regular Session, 2023, that the amendments made by this Act be
  harmonized with another Act of the 88th Legislature, Regular
  Session, 2023, relating to nonsubstantive additions to and
  corrections in enacted codes.
         SECTION 21.  This Act takes effect September 1, 2023.