BILL ANALYSIS
|
Senate Research Center |
H.B. 1500 |
|
89R14618 LRM-D |
By: Bell, Keith et al. (Parker) |
|
|
Business & Commerce |
|
|
5/15/2025 |
|
|
Engrossed |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
As the state's information technology (IT) agency, the Department of Information Resources (DIR) coordinates technology planning, oversees the state's cybersecurity posture, provides telecommunications services, and manages the state's cooperative IT procurements, data center, and state website. DIR is subject to abolishment under the Texas Sunset Act on September 1, 2025, unless continued by the legislature. In its review of DIR, the Sunset Advisory Commission (Sunset) recommended continuing it for another 12 years, while including numerous recommendations for changes regarding DIR's structure, duties, and functions. These recommendations include adjusting DIR's advisory committees and restructuring its board to better represent and serve government entities with widely differing IT needs. Moreover, Sunset recommended DIR provide more training and assistance to other agencies with their own IT procurements, given the risk to the state of those high-dollar contracts. Sunset also recommended providing more cybersecurity training for state and local government entities. H.B. 1500 seeks to implement these recommendations and continue DIR for another 12 years.
H.B. 1500 amends current law relating to the continuation and functions of the Department of Information Resources, including the composition of the governing body of the department.
RULEMAKING AUTHORITY
Rulemaking authority is expressly granted to the governing board of the Department of Information Resources in SECTION 7 (Section 2054.033, Government Code) and SECTION 8 (Section 2054.0333, 2054.0335, and 2054.0337, Government Code) of this bill.
Rulemaking authority previously granted to the Department of Information Resources is modified in SECTION 18 (Section 2054.515, Government Code) of this bill
Rulemaking authority is expressly granted to the Department of Information Resources in SECTION 20 (Section 2054.5195, Government Code) of this bill.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subchapter C, Chapter 656, Government Code, by adding Sections 656.0505 and 656.0506, as follows:
Sec. 656.0505. VOLUNTARY CERTIFICATION COURSE ON PROCUREMENT OF INFORMATION RESOURCES TECHNOLOGIES. (a) Defines "department" and "information resources technologies."
(b) Requires the Department of Information Resources (DIR), in coordination with the Comptroller of Public Accounts of the State of Texas (comptroller), to develop and implement a certification course on the procurement of information resources technologies and make the course available to a person who meets certain criteria.
(c) Requires DIR to provide the course at least quarterly and to provide the course in person.
(d) Requires DIR to certify a state agency employee who successfully completes the course.
(e) Authorizes successful completion of the course to be credited toward any continuing education requirements for maintaining a certification under Section 656.051 (Training and Certification of State Agency Purchasing Personnel and Vendors) or 656.052 (Training and Certification for Contract Managers), or both.
Sec. 656.0506. TRAINING ON PURCHASES OF INFORMATION RESOURCES TECHNOLOGIES FOR CERTAIN STATE AGENCY OFFICERS AND EMPLOYEES. (a) Defines "department" and "information resources technologies."
(b) Requires DIR to develop and provide annual training for persons who serve in upper management positions at state agencies, including elected or appointed state officers and executive heads of state agencies on best practices and methodologies for purchasing information resources technologies.
(c) Requires DIR to include in the training provided under Subsection (b) information DIR covers in the certification programs established by Sections 656.051 and 656.052 that is related to the purchase of information resources technologies. Authorizes DIR to include additional topics in the training.
(d) Prohibits DIR from requiring a person described by Subsection (b) to participate in the training.
SECTION 2. Amends Section 2053.003(13), Government Code, to redefine "state agency."
SECTION 3. Amends Section 2054.005, Government Code, as follows:
Sec. 2054.005. SUNSET PROVISION. Provides that, unless continued in existence as provided by Chapter 325 (Texas Sunset Act), DIR is abolished September 1, 2037, rather than September 1, 2025. Deletes existing text providing that Chapter 2054 (Information Resources) expires September 1, 2025. Makes nonsubstantive changes.
SECTION 4. Amends Section 2054.021, Government Code, by amending Subsections (a), (c), (f), (g), and (h) and adding Subsections (a-1), (c-1), (c-2), and (i), as follows:
(a) Defines "state agency."
(a-1) Creates this subsection from existing text. Provides that DIR is governed by a board composed of 11 members as follows: seven voting members appointed by the governor with the advice and consent of the senate and four nonvoting members as provided by Subsection (c).
Deletes existing text requiring one member to be employed by an institution of higher education as defined by Section 61.003 (Definitions), Education Code. Deletes existing text providing that two groups each composed of three ex officio members serve on the governing board of DIR on a rotating basis. Deletes existing text providing that the ex officio members serve as nonvoting members of the board. Deletes existing text providing that only one group serves at a time. Deletes existing text providing that the first group is composed of the commissioner of insurance, the executive commissioner of the Health and Human Services Commission, and the executive director of the Texas Department of Transportation. Deletes existing text providing that members of the first group serve for two-year terms that begin February 1 of every other odd-numbered year and that expire on February 1 of the next odd-numbered year. Deletes existing text providing that the second group is composed of the commissioner of education, the executive director of the Texas Department of Criminal Justice, and the executive director of the Parks and Wildlife Department. Deletes existing text providing that members of the second group serve for two-year terms that begin February 1 of the odd-numbered years in which the terms of members of the first group expire and that expire on February 1 of the next odd-numbered year.
(c) Requires the governor to appoint as nonvoting members of the board four persons who meet certain requirements.
(c-1) Requires DIR, not later than December 1 of each even-numbered year, to provide the governor a list of the 10 state agencies that spent the most money on products and services of DIR during the previous state fiscal year.
(c-2) Provides that a nonvoting member of the board serves for a two-year term that expires February 1 of each odd-numbered year.
(f) Prohibits a person who is appointed to and qualifies for office as a member of the board from voting, deliberating, or being counted as a member in attendance at a meeting of the board until the person completes a training program that complies with Subsection (g) and signs and submits to the executive director of DIR (executive director) a statement acknowledging that the member completed the training program and the training required under Section 656.053 (Training for Governing Bodies).
Deletes existing text requiring a person appointed to or scheduled to serve as an ex officio member of the board, to be eligible to take office or serve as a voting or nonvoting member of the board, to complete at least one course of a training program that complies with Section 2054.021 (Composition of Board; Terms; Training). Deletes existing text requiring a voting or nonvoting member to complete a training program that complies with Subsection (g) not later than the 180th day after the date on which the person takes office or begins serving as a member of the board. Makes nonsubstantive changes.
(g) Requires that the training program provide the person with information regarding the law governing DIR operations and the board to which the person is appointed to serve; the programs, functions, rules, and budget of DIR; the scope of and limitations on the rulemaking authority of DIR; the results of the most recent formal audit of DIR; the requirements of laws relating to open meetings, public information, administrative procedure, and disclosing conflicts of interest and other laws applicable to members of a state policy-making body in performing their duties; any applicable ethics policies adopted by DIR or the Texas Ethics Commission; and contract management training.
Deletes existing text requiring that the training program provide information to the person regarding this chapter and the board to which the person is appointed to serve; the programs operated by DIR; the role and functions of DIR; the rules of DIR, with an emphasis on the rules that relate to disciplinary and investigatory authority; the current budget for DIR; the results of the most recent formal audit of DIR; and the requirements of certain applicable laws. Makes nonsubstantive changes.
(h) Provides that a person appointed to the board is entitled to reimbursement, as provided by the General Appropriations Act, for travel expenses incurred in attending the training program, regardless of whether the attendance at the program occurs before or after the person qualifies for office, rather than as provided by the General Appropriations Act and as if the person were a member of the board.
(i) Requires the executive director to create a training manual that includes the information required by Subsection (g). Requires the executive director to distribute a copy of the training manual annually to each member of the board. Requires each member of the board to sign and submit to the executive director a statement acknowledging that the member received and has renewed the training manual.
SECTION 5. Amends Section 2054.024(c), Government Code, as follows:
(c) Requires the governor, if the final result of an action brought in a court of competent jurisdiction is that a board member is prohibited from serving on the board under the Texas Constitution, to appoint a replacement who is authorized to serve.
Deletes existing text requiring an appropriate individual, if the final result of an action brought in a court of competent jurisdiction is that an ex officio or other member of the board is prohibited from serving on the board under the Texas Constitution, to promptly submit a list to the governor for the appointment of a replacement who is authorized to serve.
SECTION 6. Amends the heading to Section 2054.033, Government Code, to read as follows:
Sec. 2054.033. ESTABLISHMENT OF ADVISORY COMMITTEES; ADMINISTRATION AND REQUIREMENTS.
SECTION 7. Amends Section 2054.033, Government Code, by amending Subsection (a) and adding Subsections (e), (f), and (g), as follows:
(a) Authorizes the board and the executive director, if authorized by the board, by rule to establish, rather than appoint, advisory committees as DIR considers necessary to provide expertise to DIR.
(e) Requires the board, with respect to an advisory committee whose jurisdiction covers a service provided by DIR to state agencies, in appointing members to the advisory committee, to the extent practicable, to ensure that the advisory committee is composed of a cross-section of DIR's customers who use the service and appoint, in addition to the member required by Subsection (d) (relating to requiring one member of each advisory committee to be an employee of a state agency), at least one member who is an employee of a state agency with 500 or fewer full-time employees.
(f) Requires the board to adopt rules to govern each advisory committee of DIR. Requires that the rules include certain provisions.
(g) Provides that, except as otherwise provided by this chapter, an advisory committee of DIR is subject to Chapter 2110 (State Agency Advisory Committees).
SECTION 8. Amends Subchapter B, Chapter 2054, Government Code, by adding Sections 2054.0333, 2054.0335, and 2054.0337, as follows:
Sec. 2054.0333. ADVISORY COMMITTEES ON DEPARTMENT FUNCTIONS REQUIRED. Requires the board by rule to establish advisory committees under Section 2054.033 that advise the board on governing DIR and cover in subject matter DIR's primary functions, including at least one advisory committee for each of certain subjects.
Sec. 2054.0335. STATEWIDE INFORMATION SECURITY ADVISORY COMMITTEE. (a) Requires the board by rule to establish an advisory committee under Section 2054.033 to make recommendations to DIR on improving the effectiveness of DIR's and this state's information security operations.
(b) Requires the advisory committee to include members who are information security professionals employed by state agencies and local governments.
(c) Provides that the presiding officer of the advisory committee is the chief information security officer under Section 2054.510 (Chief Information Security Officer).
Sec. 2054.0337. CUSTOMER ADVISORY COMMITTEE. (a) Requires the board by rule to establish an advisory committee under Section 2054.033 to report to and advise the board on improving the effectiveness and efficiency of services provided by DIR to customers.
(b) Requires the board to appoint advisory committee members who are employees of state agencies that use DIR's services and have 500 or fewer full-time employees, including at least three members who are employees of state agencies that have 150 or fewer full-time employees.
SECTION 9. Amends Section 2054.035(b), Government Code, to delete existing text requiring DIR to prepare information of public interest describing the procedures by which complaints are filed with and resolved by DIR.
SECTION 10. Amends Section 2054.036, Government Code, as follows:
Sec. 2054.036. COMPLAINTS. (a) Requires DIR to maintain a system to promptly and efficiently act on complaints filed with DIR. Requires DIR to maintain information about parties to the complaint, the subject matter of the complaint, and a summary of the results of the review or investigation of the complaint, and its disposition.
Deletes existing text requiring DIR to keep a file about each written complaint filed with DIR that DIR has authority to resolve. Deletes existing text requiring DIR to provide to the person filing the complaint and the persons or entities complained about DIR's policies and procedures pertaining to complaint investigation and resolution. Deletes existing text requiring DIR, at least quarterly and until final disposition of the complaint, to notify the person filing the complaint and the persons or entities complained about of the status of the complaint unless the notice would jeopardize an undercover investigation.
(b) Requires DIR to make information available describing its procedures for complaint investigation and resolution, rather than to keep information about each complaint filed with DIR.
Deletes existing text requiring that the information include certain details.
(c) Requires DIR to periodically notify the complaint parties of the status of the complaint until final disposition unless the notice would jeopardize an ongoing investigation.
SECTION 11. Amends Sections 2054.055(b) and (b-2), Government Code, as follows:
(b) Deletes existing text requiring that the performance report presented by DIR to the board provide a summary of the amount and use of Internet-based training conducted by each state agency and institution of higher education. Makes nonsubstantive changes.
(b-2) Makes a conforming change to this subsection.
SECTION 12. Amends Subchapter C, Chapter 2054, Government Code, by adding Section 2054.057, as follows:
Sec. 2054.057. PROCUREMENT SERVICES PILOT PROGRAM. (a) Defines "participating state agency," "pilot program," and "state agency."
(b) Requires DIR to establish a pilot program under which DIR provides assistance in the procurement of information resources technologies on request by a participating state agency.
(c) Authorizes a state agency to participate in the pilot program only if DIR approves of the participation in writing.
(d) Authorizes DIR to limit the number of participating state agencies in the pilot program and types of information resources technologies for which procurement assistance is provided under the pilot program.
(e) Authorizes services under the pilot program to include assistance with procurement planning, developing a cost estimate for an information resources technologies project, and drafting and developing a solicitation.
(f) Provides that, with respect to any procurement assistance provided by DIR under the pilot program, DIR is prohibited from controlling the procurement for which the assistance is provided or the management of any resulting contract and is not civilly liable for �damages resulting from the provision of procurement assistance unless the damages result from intentional conduct or gross negligence.
(g) Requires DIR, not later than December 1, 2028, to submit a report to the legislature that includes a summary of the pilot program's activities and a recommendation of whether to continue or expand the program.
(h) Provides that this section expires January 1, 2029.
SECTION 13. Amends Section 2054.075(b), Government Code, to delete existing text requiring DIR to report the extent and results of state agencies' compliance with this subsection to the legislature.
SECTION 14. Amends Section 2054.097, Government Code, by adding Subsections (c), (d), and (e), as follows:
(c) Requires DIR, once every two years, to conduct a limited evaluation of the information resources deployment review of at least five state agencies to verify the accuracy of those reviews. Authorizes DIR to limit the evaluation to review responses on subjects that represent the highest risks or greatest opportunities for improvement regarding the state agency's software, hardware, compliance, and cybersecurity.
(d) Provides that DIR is not required to conduct site visits as part of the limited evaluation required by Subsection (c).
(e) Requires DIR to use information received from the limited evaluation required by Subsection (c) to update trainings for and outreach to information resources managers on accurately completing the information resources deployment review. Recommend information resources technology solutions to state agencies as needed.
SECTION 15. Amends Section 2054.2606(c), Government Code, to make nonsubstantive changes.
SECTION 16. Amends Section 2054.456(a), Government Code, to make a nonsubstantive change.
SECTION 17. Amends the heading to Section 2054.515, Government Code, to read as follows:
Sec. 2054.515. AGENCY DATA GOVERNANCE ASSESSMENT AND REPORT.
SECTION 18. Amends Section 2054.515, Government Code, by amending Subsections (a), (c), and (d) and adding Subsection (a-1), as follows:
(a) Deletes existing text requiring each state agency, at least once every two years, to conduct an information security assessment of the agency's information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities. Makes nonsubstantive changes.
(a-1) Requires each state agency, not later than June 1 of each even-numbered year, to report the results of the assessment conducted under Subsection (a) to DIR and on request, the governor, the lieutenant governor, and the speaker of the house of representatives.
(c)-(d) Makes conforming changes to these subsections.
SECTION 19. Amends Sections 2054.5191(a), (a-1), and (a-2), Government Code, as follows:
(a) Requires each employee of a state agency and each elected or appointed officer of the agency, at least once a year, to complete a cybersecurity training program certified under Section 2054.519 (State Certified Cybersecurity Training Programs).
Deletes existing text requiring each state agency to identify state employees who use a computer to complete at least 25 percent of the employee's required duties. Deletes existing text requiring an employee identified by the state agency and each elected or appointed officer of the agency, at least once a year, to complete a cybersecurity training program certified under Section 2054.519.
(a-1) Requires each employee and each elected or appointed official of a local government, at least once each year, to complete a cybersecurity training program certified under Section 2054.519.
Deletes existing text requiring a local government, at least once each year, to identify certain local government employees and officials and require the employees and officials to complete a certain cybersecurity training program. Makes nonsubstantive changes.
(a-2) Makes conforming changes to this subsection.
SECTION 20. Amends Subchapter N-1, Chapter 2054, Government Code, by adding Section 2054.5195, as follows:
Sec. 2054.5195. INFORMATION SECURITY ASSESSMENT AND PENETRATION TEST REQUIRED. (a) Provides that this section does not apply to a university system or institution of higher education as defined by Section 61.003, Education Code.
(b) Requires DIR, at least once every two years, to require each state agency to complete an information security assessment and a penetration test to be performed by DIR or, at DIR's discretion, a vendor selected by DIR.
(c) Requires DIR to establish rules as necessary to implement this section, including rules for the procurement of a vendor under Subsection (b).
SECTION 21. Repealers: Sections 2054.021(d) (relating to authorizing an ex officio member to designate certain employees of the member's agency to serve in the member's place) and 2054.023(c) (relating to providing that an ex officio member is entitled to certain reimbusrements), Government Code.
Repealer: Section 2054.0331 (Customer Advisory Committee), Government Code.
Repealers: Sections 2054.091(d) (relating to requiring the executive director to appoint an advisory to assist in the state strategic plan for information resources management) and 2054.0925(c) (relating to requiring certain telecommunications elements to incorporate certain efficiencies), Government Code.
Repealers: Sections 2054.515(b) (relating to requiring a state agency to report the results of a certain assessment to certain entities by a certain time), as amended by Chapter 567 (S.B. 475), Acts of the 87th Legislature, Regular Session, 2021, and 2054.515(b) (relating to requiring a state agency to report the results of a certain assessment to certain entities by a certain time), as amended by Chapter 856 (S.B. 800), Acts of the 87th Legislature, Regular Session, 2021, Government Code.
SECTION 22. (a) Defines "institution of higher education."
(b) Requires the governor, as soon as possible after the effective date of this Act, as the terms of members of the board expire or as vacancies occur, to appoint members to the board so that the board is composed in accordance with Section 2054.021 (Composition of Board; Terms; Training), Government Code, as amended by this Act, except that the term of the member of the board serving on the board immediately before the effective date of this Act who holds the position of the member who is employed by an institution of higher education expires on that date. Provides that a member of the board whose term expires under this subsection is eligible for reappointment under Subsection (c) of this section.
(c) Requires the governor, not later than December 1, 2025, to appoint the following members to the board in accordance with Section 2054.021, Government Code, as amended by this Act: one voting member to serve a term that expires February 1, 2031, and one nonvoting member to the position of the member who is employed by an institution of higher education to serve a term that expires February 1, 2027.
SECTION 23. (a) Provides that, except as provided by Subsection (b) of this section, Section 2054.021(f), Government Code, as amended by this Act, applies to a member of the board appointed before, on, or after the effective date of this Act.
(b) Provides that a member of the board who, before the effective date of this Act, completed the training program required by Section 2054.021(f), Government Code, and described in Section 2054.021(g), Government Code, as that law existed before the effective date of this Act, is only required to complete additional training on the subjects added by this Act to the training program described by Section 2054.021(g), Government Code. Prohibits a member described by this subsection from voting, deliberating, or being counted as a member in attendance at a meeting of the board held on or after December 1, 2025, until the member completes the additional training.
SECTION 24. Effective date: September 1, 2025.