| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the establishment of the Texas Cyber Command as a |
|
|
component institution of The University of Texas System and the |
|
|
transfer to it of certain powers and duties of the Department of |
|
|
Information Resources. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subtitle B, Title 10, Government Code, is |
|
|
amended by adding Chapter 2063 to read as follows: |
|
|
CHAPTER 2063. TEXAS CYBER COMMAND |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 2063.001. DEFINITIONS. In this chapter: |
|
|
(1) "Chief" means the chief of the Texas Cyber |
|
|
Command. |
|
|
(2) "Command" means the Texas Cyber Command |
|
|
established under this chapter. |
|
|
(3) "Covered entity" means a private entity operating |
|
|
critical infrastructure or a local government that the command |
|
|
contracts with in order to provide cybersecurity services under |
|
|
this chapter. |
|
|
(4) "Critical infrastructure" means infrastructure in |
|
|
this state vital to the security, governance, public health and |
|
|
safety, economy, or morale of the state or the nation, including: |
|
|
(A) chemical facilities; |
|
|
(B) commercial facilities; |
|
|
(C) communication facilities; |
|
|
(D) manufacturing facilities; |
|
|
(E) dams; |
|
|
(F) defense industrial bases; |
|
|
(G) emergency services systems; |
|
|
(H) energy facilities; |
|
|
(I) financial services systems; |
|
|
(J) food and agriculture facilities; |
|
|
(K) government facilities; |
|
|
(L) health care and public health facilities; |
|
|
(M) information technology and information |
|
|
technology systems; |
|
|
(N) nuclear reactors, materials, and waste; |
|
|
(O) transportation systems; or |
|
|
(P) water and wastewater systems. |
|
|
(5) "Cybersecurity" means the measures taken to |
|
|
protect a computer, computer network, computer system, or other |
|
|
technology infrastructure against unauthorized: |
|
|
(A) use, access, disruption, modification, or |
|
|
destruction; or |
|
|
(B) disclosure, modification, or destruction of |
|
|
information. |
|
|
(6) "Cybersecurity incident" includes: |
|
|
(A) a breach or suspected breach of system |
|
|
security as defined by Section 521.053, Business & Commerce Code; |
|
|
(B) the introduction of ransomware, as defined by |
|
|
Section 33.023, Penal Code, into a computer, computer network, or |
|
|
computer system; or |
|
|
(C) any other cybersecurity-related occurrence |
|
|
that jeopardizes information or an information system designated by |
|
|
command policy adopted under this chapter. |
|
|
(7) "Department" means the Department of Information |
|
|
Resources. |
|
|
(8) "Governmental entity" means this state, a state |
|
|
agency, or a local government. |
|
|
(9) "Information resources" has the meaning assigned |
|
|
by Section 2054.003, Government Code. |
|
|
(10) "Information resources technologies" has the |
|
|
meaning assigned by Section 2054.003. |
|
|
(11) "Local government" has the meaning assigned by |
|
|
Section 2054.003. |
|
|
(12) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(13) "State agency" means: |
|
|
(A) a department, commission, board, office, or |
|
|
other agency that is in the executive or legislative branch of state |
|
|
government and that was created by the constitution or a statute; |
|
|
(B) the supreme court, the court of criminal |
|
|
appeals, a court of appeals, a district court, or the Texas Judicial |
|
|
Council or another agency in the judicial branch of state |
|
|
government; or |
|
|
(C) a university system or an institution of |
|
|
higher education as defined by Section 61.003, Education Code. |
|
|
Sec. 2063.002. ORGANIZATION. (a) The Texas Cyber Command |
|
|
is a component of The University of Texas System and |
|
|
administratively attached to The University of Texas at San |
|
|
Antonio. |
|
|
(b) The command is managed by a chief appointed by the |
|
|
governor and confirmed with the advice and consent of the senate. |
|
|
The chief serves at the pleasure of the governor and must possess |
|
|
professional training and knowledge relevant to the functions and |
|
|
duties of the command. |
|
|
(c) The command shall employ other coordinating and |
|
|
planning officers and other personnel necessary to the performance |
|
|
of its functions. |
|
|
(d) Under an agreement with the command, The University of |
|
|
Texas at San Antonio shall provide administrative support services |
|
|
for the command as necessary to carry out the purposes of this |
|
|
chapter. |
|
|
Sec. 2063.003. ESTABLISHMENT AND PURPOSE. (a) The command |
|
|
is established to prevent and respond to cybersecurity incidents |
|
|
that affect governmental entities and critical infrastructure in |
|
|
this state. |
|
|
(b) The command is responsible for cybersecurity for this |
|
|
state, including: |
|
|
(1) developing tools to enhance cybersecurity |
|
|
defenses; |
|
|
(2) facilitating education and training of a |
|
|
cybersecurity workforce; |
|
|
(3) in collaboration with the department, |
|
|
establishing appropriate cybersecurity standards; and |
|
|
(4) creating partnerships needed to effectively carry |
|
|
out the command's functions. |
|
|
Sec. 2063.004. GENERAL POWERS AND DUTIES. (a) The command |
|
|
shall: |
|
|
(1) promote public awareness of cybersecurity issues; |
|
|
(2) develop cybersecurity best practices and minimum |
|
|
standards for governmental entities; |
|
|
(3) develop and provide training to state agencies and |
|
|
covered entities on cybersecurity measures and awareness; |
|
|
(4) administer the cybersecurity threat intelligence |
|
|
center under Section 2063.201; |
|
|
(5) provide support to state agencies and covered |
|
|
entities experiencing a cybersecurity incident; |
|
|
(6) administer the digital forensics laboratory under |
|
|
Section 2063.203; |
|
|
(7) administer a statewide portal for enterprise |
|
|
cybersecurity threat, risk, and incident management, and operate a |
|
|
cybersecurity hotline available for state agencies and covered |
|
|
entities 24 hours a day, seven days a week; |
|
|
(8) collaborate with law enforcement agencies to |
|
|
provide training and support related to cybersecurity incidents; |
|
|
(9) serve as a clearinghouse for information relating |
|
|
to all aspects of protecting the cybersecurity of governmental |
|
|
entities, including sharing appropriate intelligence and |
|
|
information with governmental entities, federal agencies, and |
|
|
covered entities; |
|
|
(10) collaborate with the department to ensure |
|
|
information resources and information resources technologies |
|
|
obtained by the department meet the cybersecurity standards and |
|
|
requirements established under this chapter; |
|
|
(11) offer cybersecurity resources to state agencies |
|
|
and covered entities as determined by the command; and |
|
|
(12) adopt policies to ensure state agencies implement |
|
|
sufficient cybersecurity measures to defend information resources, |
|
|
information resources technologies, and sensitive personal |
|
|
information maintained by the agencies. |
|
|
(b) The command may: |
|
|
(1) adopt and enforce policies necessary to carry out |
|
|
this chapter; |
|
|
(2) adopt and use an official seal; |
|
|
(3) establish ad hoc advisory committees as necessary |
|
|
to carry out the command's duties under this chapter; |
|
|
(4) acquire and convey property or an interest in |
|
|
property; |
|
|
(5) procure insurance and pay premiums on insurance of |
|
|
any type, in accounts, and from insurers as the command considers |
|
|
necessary and advisable to accomplish any of the command's duties; |
|
|
and |
|
|
(6) hold patents, copyrights, trademarks, or other |
|
|
evidence of protection or exclusivity issued under the laws of the |
|
|
United States, any state, or any nation and may enter into license |
|
|
agreements with any third parties for the receipt of fees, |
|
|
royalties, or other monetary or nonmonetary value. |
|
|
(c) Except as otherwise provided by this chapter, the |
|
|
command shall deposit money paid to the command under this chapter |
|
|
in the state treasury to the credit of the general revenue fund. |
|
|
Sec. 2063.005. COST RECOVERY. The command shall recover |
|
|
the cost of providing direct technical assistance, training |
|
|
services, and other services to covered entities when reasonable |
|
|
and practical. |
|
|
Sec. 2063.007. EMERGENCY PURCHASING. In the event the |
|
|
emergency response to a cybersecurity incident requires the command |
|
|
to purchase an item, the command is exempt from the requirements of |
|
|
Sections 2155.0755, 2155.083, and 2155.132(c) in making the |
|
|
purchase. |
|
|
Sec. 2063.008. RULES. The governor may adopt rules |
|
|
necessary for carrying out the purposes of this chapter. |
|
|
Sec. 2063.009. APPLICATION OF SUNSET ACT. The command is |
|
|
subject to Chapter 325 (Texas Sunset Act). Unless continued in |
|
|
existence as provided by that chapter, the command is abolished |
|
|
September 1, 2035. |
|
|
SUBCHAPTER B. MINIMUM STANDARDS AND TRAINING |
|
|
Sec. 2063.101. BEST PRACTICES AND MINIMUM STANDARDS FOR |
|
|
CYBERSECURITY AND TRAINING. (a) The command shall develop and |
|
|
annually assess best practices and minimum standards for use by |
|
|
governmental entities to enhance the security of information |
|
|
resources in this state. |
|
|
(b) The command shall establish and periodically assess |
|
|
mandatory cybersecurity training that must be completed by all |
|
|
information resources employees of state agencies. The command |
|
|
shall consult with the Information Technology Council for Higher |
|
|
Education established under Section 2054.121 regarding applying |
|
|
the training requirements to employees of institutions of higher |
|
|
education. |
|
|
(c) The command shall adopt policies to ensure governmental |
|
|
entities are complying with the requirements of this section. |
|
|
SUBCHAPTER C. CYBERSECURITY PREVENTION, RESPONSE, AND RECOVERY |
|
|
Sec. 2063.201. CYBERSECURITY THREAT INTELLIGENCE CENTER. |
|
|
(a) In this section, "center" means the cybersecurity threat |
|
|
intelligence center established under this section. |
|
|
(b) The command shall establish a cybersecurity threat |
|
|
intelligence center. The center, in coordination with the |
|
|
department, shall: |
|
|
(1) operate the information sharing and analysis |
|
|
organization established under Section 2063.204; and |
|
|
(2) use regional security operations centers |
|
|
established under Subchapter G and the cybersecurity incident |
|
|
response unit under Section 2063.202 to assist governmental |
|
|
entities in responding to a cybersecurity incident. |
|
|
(c) The chief may employ a director for the center. |
|
|
Sec. 2063.202. CYBERSECURITY INCIDENT RESPONSE UNIT. (a) |
|
|
The command shall establish a dedicated cybersecurity incident |
|
|
response unit to: |
|
|
(1) detect and contain cybersecurity incidents in |
|
|
collaboration with the cybersecurity threat intelligence center |
|
|
under Section 2063.201; |
|
|
(2) engage in threat neutralization, including |
|
|
removing malware, disallowing unauthorized access, and patching |
|
|
vulnerabilities in information resources technologies; |
|
|
(3) in collaboration with the digital forensics |
|
|
laboratory under Section 2063.203, undertake mitigation efforts if |
|
|
sensitive personal information is breached during a cybersecurity |
|
|
incident; |
|
|
(4) loan resources to state agencies and covered |
|
|
entities to promote continuity of operations while the agency or |
|
|
entity restores the systems affected by a cybersecurity incident; |
|
|
(5) assist in the restoration of information resources |
|
|
and information resources technologies after a cybersecurity |
|
|
incident and conduct post-incident monitoring; |
|
|
(6) in collaboration with the cybersecurity threat |
|
|
intelligence center under Section 2063.201 and digital forensics |
|
|
laboratory under Section 2063.203, identify weaknesses, establish |
|
|
risk mitigation options and effective vulnerability-reduction |
|
|
strategies, and make recommendations to state agencies and covered |
|
|
entities that have been the target of a cybersecurity attack or have |
|
|
experienced a cybersecurity incident in order to remediate |
|
|
identified cybersecurity vulnerabilities; |
|
|
(7) in collaboration with the cybersecurity threat |
|
|
intelligence center under Section 2063.201, the digital forensics |
|
|
laboratory under Section 2063.203, the Texas Division of Emergency |
|
|
Management, and other state agencies, conduct, support, and |
|
|
participate in cyber-related exercises; and |
|
|
(8) undertake any other activities necessary to carry |
|
|
out the duties described by this subsection. |
|
|
(b) The chief shall employ a director for the cybersecurity |
|
|
incident response unit. |
|
|
Sec. 2063.203. DIGITAL FORENSICS LABORATORY. (a) The |
|
|
command shall establish a digital forensics laboratory to: |
|
|
(1) in collaboration with the cybersecurity incident |
|
|
response unit under Section 2063.202, develop procedures to: |
|
|
(A) preserve evidence of a cybersecurity |
|
|
incident, including logs and communication; |
|
|
(B) document chains of custody; and |
|
|
(C) timely notify and maintain contact with the |
|
|
appropriate law enforcement agencies investigating a cybersecurity |
|
|
incident; |
|
|
(2) develop and share with relevant state agencies and |
|
|
covered entities cyber threat hunting tools and procedures to |
|
|
assist in identifying indicators of a compromise in the |
|
|
cybersecurity of state information systems and non-state |
|
|
information systems, as appropriate, for proactive discovery of |
|
|
latent intrusions; |
|
|
(3) conduct analyses of causes of cybersecurity |
|
|
incidents and of remediation options; |
|
|
(4) conduct assessments of the scope of harm caused by |
|
|
cybersecurity incidents, including data loss, compromised systems, |
|
|
and system disruptions; |
|
|
(5) provide information and training to state agencies |
|
|
and covered entities on producing reports required by regulatory |
|
|
and auditing bodies; |
|
|
(6) in collaboration with the Department of Public |
|
|
Safety, the Texas Military Department, the office of the attorney |
|
|
general, and other state agencies, provide forensic analysis of a |
|
|
cybersecurity incident to support an investigation, attribution |
|
|
process, or other law enforcement or judicial action; and |
|
|
(7) undertake any other activities necessary to carry |
|
|
out the duties described by this subsection. |
|
|
(b) The chief shall employ a director for the digital |
|
|
forensics laboratory. |
|
|
Sec. 2063.205. POLICIES. The command shall adopt policies |
|
|
and procedures necessary to enable the entities established in this |
|
|
subchapter to carry out their respective duties and purposes. |
|
|
SUBCHAPTER E. CYBERSECURITY PREPARATION AND PLANNING |
|
|
Sec. 2063.404. ONGOING INFORMATION TRANSMISSIONS. |
|
|
Information received from state agencies by the department under |
|
|
Section 2054.069 shall be transmitted by the department to the |
|
|
command on an ongoing basis. |
|
|
SECTION 2. Section 2054.510, Government Code, is |
|
|
transferred to Subchapter A, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.0025, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.0025 [2054.510]. COMMAND CHIEF [INFORMATION |
|
|
SECURITY OFFICER]. (a) In this section, "state cybersecurity |
|
|
[information security] program" means the policies, standards, |
|
|
procedures, elements, structure, strategies, objectives, plans, |
|
|
metrics, reports, services, and resources that establish the |
|
|
cybersecurity [information resources security] function for this |
|
|
state. |
|
|
(b) The chief directs the day-to-day operations and |
|
|
policies of the command and oversees and is responsible for all |
|
|
functions and duties of the command. [The executive director, |
|
|
using existing funds, shall employ a chief information security |
|
|
officer.] |
|
|
(c) The chief [information security officer] shall oversee |
|
|
cybersecurity matters for this state including: |
|
|
(1) implementing the duties described by Section |
|
|
2063.004 [2054.059]; |
|
|
(2) [responding to reports received under Section |
|
|
2054.1125; |
|
|
[(3)] developing a statewide cybersecurity |
|
|
[information security] framework; |
|
|
(3) [(4)] overseeing the development of cybersecurity |
|
|
[statewide information security] policies and standards; |
|
|
(4) [(5)] collaborating with [state agencies, local] |
|
|
governmental entities[,] and other entities operating or |
|
|
exercising control over state information systems or |
|
|
state-controlled data critical to strengthen this state's |
|
|
cybersecurity and information security policies, standards, and |
|
|
guidelines; |
|
|
(5) [(6)] overseeing the implementation of the |
|
|
policies, standards, and requirements [guidelines] developed under |
|
|
this chapter [Subdivisions (3) and (4)]; |
|
|
(6) [(7)] providing cybersecurity [information |
|
|
security] leadership, strategic direction, and coordination for |
|
|
the state cybersecurity [information security] program; |
|
|
(7) [(8)] providing strategic direction to: |
|
|
(A) the network security center established |
|
|
under Section 2059.101; and |
|
|
(B) regional security operations [statewide |
|
|
technology] centers operated under Subchapter G [L]; and |
|
|
(8) [(9)] overseeing the preparation and submission |
|
|
of the report described by Section 2063.301 [2054.0591]. |
|
|
SECTION 3. Section 2054.0592, Government Code, is |
|
|
transferred to Subchapter A, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.006, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.006 [2054.0592]. CYBERSECURITY EMERGENCY |
|
|
FUNDING. If a cybersecurity event creates a need for emergency |
|
|
funding, the command [department] may request that the governor or |
|
|
Legislative Budget Board make a proposal under Chapter 317 to |
|
|
provide funding to manage the operational and financial impacts |
|
|
from the cybersecurity event. |
|
|
SECTION 4. Section 2054.519, Government Code, is |
|
|
transferred to Subchapter B, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.102, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.102 [2054.519]. STATE CERTIFIED CYBERSECURITY |
|
|
TRAINING PROGRAMS. (a) The command [department], in consultation |
|
|
with the cybersecurity council established under Section 2063.406 |
|
|
[2054.512] and industry stakeholders, shall annually: |
|
|
(1) certify at least five cybersecurity training |
|
|
programs for state and local government employees; and |
|
|
(2) update standards for maintenance of certification |
|
|
by the cybersecurity training programs under this section. |
|
|
(b) To be certified under Subsection (a), a cybersecurity |
|
|
training program must: |
|
|
(1) focus on forming appropriate cybersecurity |
|
|
[information security] habits and procedures that protect |
|
|
information resources; and |
|
|
(2) teach best practices and minimum standards |
|
|
established under this subchapter [for detecting, assessing, |
|
|
reporting, and addressing information security threats]. |
|
|
(c) The command [department] may identify and certify under |
|
|
Subsection (a) training programs provided by state agencies and |
|
|
local governments that satisfy the training requirements described |
|
|
by Subsection (b). |
|
|
(d) The command [department] may contract with an |
|
|
independent third party to certify cybersecurity training programs |
|
|
under this section. |
|
|
(e) The command [department] shall annually publish on the |
|
|
command's [department's] Internet website the list of cybersecurity |
|
|
training programs certified under this section. |
|
|
SECTION 5. Section 2054.5191, Government Code, is |
|
|
transferred to Subchapter B, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.103, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.103 [2054.5191]. CYBERSECURITY TRAINING REQUIRED |
|
|
[: CERTAIN EMPLOYEES AND OFFICIALS]. (a) Each elected or appointed |
|
|
official and employee of a governmental entity who has access to the |
|
|
entity's information resources or information resources |
|
|
technologies [state agency shall identify state employees who use a |
|
|
computer to complete at least 25 percent of the employee's required |
|
|
duties. At least once each year, an employee identified by the |
|
|
state agency and each elected or appointed officer of the agency] |
|
|
shall annually complete a cybersecurity training program certified |
|
|
under Section 2063.102 [2054.519]. |
|
|
(b) [(a-1) At least once each year, a local government |
|
|
shall: |
|
|
[(1) identify local government employees and elected |
|
|
and appointed officials who have access to a local government |
|
|
computer system or database and use a computer to perform at least |
|
|
25 percent of the employee's or official's required duties; and |
|
|
[(2) require the employees and officials identified |
|
|
under Subdivision (1) to complete a cybersecurity training program |
|
|
certified under Section 2054.519. |
|
|
[(a-2)] The governing body of a governmental entity [local |
|
|
government] or the governing body's designee may deny access to the |
|
|
governmental entity's information resources or information |
|
|
resources technologies [local government's computer system or |
|
|
database] to an employee or official [individual described by |
|
|
Subsection (a-1)(1)] who [the governing body or the governing |
|
|
body's designee determines] is noncompliant with the requirements |
|
|
of Subsection (a) [(a-1)(2)]. |
|
|
(c) [(b)] The governing body of a local government may |
|
|
select the most appropriate cybersecurity training program |
|
|
certified under Section 2063.102 [2054.519] for employees and |
|
|
officials of the local government to complete. The governing body |
|
|
shall: |
|
|
(1) verify and report on the completion of a |
|
|
cybersecurity training program by employees and officials of the |
|
|
local government to the command [department]; and |
|
|
(2) require periodic audits to ensure compliance with |
|
|
this section. |
|
|
(d) [(c)] A state agency may select the most appropriate |
|
|
cybersecurity training program certified under Section 2063.102 |
|
|
[2054.519] for employees and officials of the state agency. The |
|
|
executive head of each state agency shall verify completion of a |
|
|
cybersecurity training program by employees and officials of the |
|
|
state agency in a manner specified by the command [department]. |
|
|
(e) [(d)] The executive head of each state agency shall |
|
|
periodically require an internal review of the agency to ensure |
|
|
compliance with this section. |
|
|
(f) [(e)] The command [department] shall develop a form for |
|
|
use by governmental entities [state agencies and local governments] |
|
|
in verifying completion of cybersecurity training program |
|
|
requirements under this section. The form must allow the state |
|
|
agency and local government to indicate the percentage of employee |
|
|
and official completion. |
|
|
(g) [(f)] The requirements of Subsection [Subsections] (a) |
|
|
[and (a-1)] do not apply to employees and officials who have been: |
|
|
(1) granted military leave; |
|
|
(2) granted leave under the federal Family and Medical |
|
|
Leave Act of 1993 (29 U.S.C. Section 2601 et seq.); |
|
|
(3) granted leave related to a sickness or disability |
|
|
covered by workers' compensation benefits, if that employee or |
|
|
official no longer has access to the governmental entity's |
|
|
information resources or information resources technologies [state |
|
|
agency's or local government's database and systems]; |
|
|
(4) granted any other type of extended leave or |
|
|
authorization to work from an alternative work site if that |
|
|
employee or official no longer has access to the governmental |
|
|
entity's information resources or information resources |
|
|
technologies [state agency's or local government's database and |
|
|
systems]; or |
|
|
(5) denied access to a governmental entity's |
|
|
information resources or information resources technologies [local |
|
|
government's computer system or database by the governing body of |
|
|
the local government or the governing body's designee] under |
|
|
Subsection (b) [(a-2)] for noncompliance with the requirements of |
|
|
Subsection (a) [(a-1)(2)]. |
|
|
SECTION 6. Section 2054.5192, Government Code, is |
|
|
transferred to Subchapter B, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.104, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.104 [2054.5192]. CYBERSECURITY TRAINING |
|
|
REQUIRED: CERTAIN STATE CONTRACTORS. (a) In this section, |
|
|
"contractor" includes a subcontractor, officer, or employee of the |
|
|
contractor. |
|
|
(b) A state agency shall require any contractor who has |
|
|
access to a state computer system or database to complete a |
|
|
cybersecurity training program certified under Section 2063.102 |
|
|
[2054.519] as selected by the agency. |
|
|
(c) The cybersecurity training program must be completed by |
|
|
a contractor during the term of the contract and during any renewal |
|
|
period. |
|
|
(d) Required completion of a cybersecurity training program |
|
|
must be included in the terms of a contract awarded by a state |
|
|
agency to a contractor. |
|
|
(e) A contractor required to complete a cybersecurity |
|
|
training program under this section shall verify completion of the |
|
|
program to the contracting state agency. The person who oversees |
|
|
contract management for the agency shall: |
|
|
(1) not later than August 31 of each year, report the |
|
|
contractor's completion to the command [department]; and |
|
|
(2) periodically review agency contracts to ensure |
|
|
compliance with this section. |
|
|
SECTION 7. Section 2054.0594, Government Code, is |
|
|
transferred to Subchapter C, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.204, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.204 [2054.0594]. INFORMATION SHARING AND |
|
|
ANALYSIS ORGANIZATION. (a) The command [department] shall |
|
|
establish an information sharing and analysis organization to |
|
|
provide a forum for state agencies, local governments, public and |
|
|
private institutions of higher education, and the private sector to |
|
|
share information regarding cybersecurity threats, best practices, |
|
|
and remediation strategies. |
|
|
(b) [The department shall provide administrative support to |
|
|
the information sharing and analysis organization. |
|
|
[(c)] A participant in the information sharing and analysis |
|
|
organization shall assert any exception available under state or |
|
|
federal law, including Section 552.139, in response to a request |
|
|
for public disclosure of information shared through the |
|
|
organization. Section 552.007 does not apply to information |
|
|
described by this subsection. |
|
|
(c) [(d)] The command [department] shall establish a |
|
|
framework for regional cybersecurity task forces [working groups] |
|
|
to execute mutual aid agreements that allow state agencies, local |
|
|
governments, regional planning commissions, public and private |
|
|
institutions of higher education, the private sector, the regional |
|
|
security operations centers under Subchapter G, and the |
|
|
cybersecurity incident response unit under Section 2063.202 [and |
|
|
the incident response team established under Subchapter N-2] to |
|
|
assist with responding to a cybersecurity incident [event] in this |
|
|
state. A task force [working group] may be established within the |
|
|
geographic area of a regional planning commission established under |
|
|
Chapter 391, Local Government Code. The task force [working group] |
|
|
may establish a list of available cybersecurity experts and share |
|
|
resources to assist in responding to the cybersecurity incident |
|
|
[event] and recovery from the incident [event]. |
|
|
SECTION 8. Chapter 2063, Government Code, as added by this |
|
|
Act, is amended by adding Subchapter D, and a heading is added to |
|
|
that subchapter to read as follows: |
|
|
SUBCHAPTER D. REPORTING |
|
|
SECTION 9. Sections 2054.0591 and 2054.077, Government |
|
|
Code, are transferred to Subchapter D, Chapter 2063, Government |
|
|
Code, as added by this Act, redesignated as Sections 2063.301 and |
|
|
2063.302, Government Code, respectively, and amended to read as |
|
|
follows: |
|
|
Sec. 2063.301 [2054.0591]. CYBERSECURITY REPORT. (a) Not |
|
|
later than November 15 of each even-numbered year, the command |
|
|
[department] shall submit to the governor, the lieutenant governor, |
|
|
the speaker of the house of representatives, and the standing |
|
|
committee of each house of the legislature with primary |
|
|
jurisdiction over state government operations a report identifying |
|
|
preventive and recovery efforts the state can undertake to improve |
|
|
cybersecurity in this state. The report must include: |
|
|
(1) an assessment of the resources available to |
|
|
address the operational and financial impacts of a cybersecurity |
|
|
event; |
|
|
(2) a review of existing statutes regarding |
|
|
cybersecurity and information resources technologies; and |
|
|
(3) recommendations for legislative action to |
|
|
increase the state's cybersecurity and protect against adverse |
|
|
impacts from a cybersecurity incident [event; and |
|
|
[(4) an evaluation of a program that provides an |
|
|
information security officer to assist small state agencies and |
|
|
local governments that are unable to justify hiring a full-time |
|
|
information security officer]. |
|
|
(b) Not later than October 1 of each even-numbered year, the |
|
|
command shall submit a report to the Legislative Budget Board that |
|
|
prioritizes, for the purpose of receiving funding, state agency |
|
|
cybersecurity projects. Each state agency shall coordinate with the |
|
|
command to implement this subsection. |
|
|
(c) [(b)] The command [department] or a recipient of a |
|
|
report under this section may redact or withhold information |
|
|
confidential under Chapter 552, including Section 552.139, or other |
|
|
state or federal law that is contained in the report in response to |
|
|
a request under Chapter 552 without the necessity of requesting a |
|
|
decision from the attorney general under Subchapter G, Chapter 552. |
|
|
The disclosure of information under this section is not a voluntary |
|
|
disclosure for purposes of Section 552.007. |
|
|
Sec. 2063.302 [2054.077]. VULNERABILITY REPORTS. (a) In |
|
|
this section, a term defined by Section 33.01, Penal Code, has the |
|
|
meaning assigned by that section. |
|
|
(b) The information security officer of a state agency shall |
|
|
prepare or have prepared a report, including an executive summary |
|
|
of the findings of the biennial report, not later than June 1 of |
|
|
each even-numbered year, assessing the extent to which a computer, |
|
|
a computer program, a computer network, a computer system, a |
|
|
printer, an interface to a computer system, including mobile and |
|
|
peripheral devices, computer software, or data processing of the |
|
|
agency or of a contractor of the agency is vulnerable to |
|
|
unauthorized access or harm, including the extent to which the |
|
|
agency's or contractor's electronically stored information is |
|
|
vulnerable to alteration, damage, erasure, or inappropriate use. |
|
|
(c) Except as provided by this section, a vulnerability |
|
|
report and any information or communication prepared or maintained |
|
|
for use in the preparation of a vulnerability report is |
|
|
confidential and is not subject to disclosure under Chapter 552. |
|
|
(d) The information security officer shall provide an |
|
|
electronic copy of the vulnerability report on its completion to: |
|
|
(1) the command [department]; |
|
|
(2) the state auditor; |
|
|
(3) the agency's executive director; |
|
|
(4) the agency's designated information resources |
|
|
manager; and |
|
|
(5) any other information technology security |
|
|
oversight group specifically authorized by the legislature to |
|
|
receive the report. |
|
|
(e) Separate from the executive summary described by |
|
|
Subsection (b), a state agency shall prepare a summary of the |
|
|
agency's vulnerability report that does not contain any information |
|
|
the release of which might compromise the security of the state |
|
|
agency's or state agency contractor's computers, computer programs, |
|
|
computer networks, computer systems, printers, interfaces to |
|
|
computer systems, including mobile and peripheral devices, |
|
|
computer software, data processing, or electronically stored |
|
|
information. [The summary is available to the public on request.] |
|
|
SECTION 10. Section 2054.136, Government Code, is |
|
|
transferred to Subchapter E, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.401, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.401 [2054.136]. DESIGNATED INFORMATION SECURITY |
|
|
OFFICER. Each state agency shall designate an information security |
|
|
officer who: |
|
|
(1) reports to the agency's executive-level |
|
|
management; |
|
|
(2) has authority over information security for the |
|
|
entire agency; |
|
|
(3) possesses the training and experience required to |
|
|
ensure the agency complies with requirements and policies |
|
|
established by the command [perform the duties required by |
|
|
department rules]; and |
|
|
(4) to the extent feasible, has information security |
|
|
duties as the officer's primary duties. |
|
|
SECTION 11. Section 2054.518, Government Code, is |
|
|
transferred to Subchapter E, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.402, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.402 [2054.518]. CYBERSECURITY RISKS AND |
|
|
INCIDENTS. (a) The command [department] shall develop a plan to |
|
|
address cybersecurity risks and incidents in this state. The |
|
|
command [department] may enter into an agreement with a national |
|
|
organization, including the National Cybersecurity Preparedness |
|
|
Consortium, to support the command's [department's] efforts in |
|
|
implementing the components of the plan for which the command |
|
|
[department] lacks resources to address internally. The agreement |
|
|
may include provisions for: |
|
|
(1) providing technical assistance services to |
|
|
support preparedness for and response to cybersecurity risks and |
|
|
incidents; |
|
|
(2) conducting cybersecurity simulation exercises for |
|
|
state agencies to encourage coordination in defending against and |
|
|
responding to cybersecurity risks and incidents; |
|
|
(3) assisting state agencies in developing |
|
|
cybersecurity information-sharing programs to disseminate |
|
|
information related to cybersecurity risks and incidents; and |
|
|
(4) incorporating cybersecurity risk and incident |
|
|
prevention and response methods into existing state emergency |
|
|
plans, including continuity of operation plans and incident |
|
|
response plans. |
|
|
(b) In implementing the provisions of the agreement |
|
|
prescribed by Subsection (a), the command [department] shall seek |
|
|
to prevent unnecessary duplication of existing programs or efforts |
|
|
of the command [department] or another state agency. |
|
|
(c) [(d)] The command [department] shall consult with |
|
|
institutions of higher education in this state when appropriate |
|
|
based on an institution's expertise in addressing specific |
|
|
cybersecurity risks and incidents. |
|
|
SECTION 12. Section 2054.133, Government Code, is |
|
|
transferred to Subchapter E, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.403, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.403 [2054.133]. INFORMATION SECURITY PLAN. (a) |
|
|
Each state agency shall develop, and periodically update, an |
|
|
information security plan for protecting the security of the |
|
|
agency's information. |
|
|
(b) In developing the plan, the state agency shall: |
|
|
(1) consider any vulnerability report prepared under |
|
|
Section 2063.302 [2054.077] for the agency; |
|
|
(2) incorporate the network security services |
|
|
provided by the department to the agency under Chapter 2059; |
|
|
(3) identify and define the responsibilities of agency |
|
|
staff who produce, access, use, or serve as custodians of the |
|
|
agency's information; |
|
|
(4) identify risk management and other measures taken |
|
|
to protect the agency's information from unauthorized access, |
|
|
disclosure, modification, or destruction; |
|
|
(5) include: |
|
|
(A) the best practices for information security |
|
|
developed by the command [department]; or |
|
|
(B) if best practices are not applied, a written |
|
|
explanation of why the best practices are not sufficient for the |
|
|
agency's security; and |
|
|
(6) omit from any written copies of the plan |
|
|
information that could expose vulnerabilities in the agency's |
|
|
network or online systems. |
|
|
(c) Not later than June 1 of each even-numbered year, each |
|
|
state agency shall submit a copy of the agency's information |
|
|
security plan to the command [department]. Subject to available |
|
|
resources, the command [department] may select a portion of the |
|
|
submitted security plans to be assessed by the command [department] |
|
|
in accordance with command policies [department rules]. |
|
|
(d) Each state agency's information security plan is |
|
|
confidential and exempt from disclosure under Chapter 552. |
|
|
(e) Each state agency shall include in the agency's |
|
|
information security plan a written document that is signed by the |
|
|
head of the agency, the chief financial officer, and each executive |
|
|
manager designated by the state agency and states that those |
|
|
persons have been made aware of the risks revealed during the |
|
|
preparation of the agency's information security plan. |
|
|
(f) Not later than November 15 of each even-numbered year, |
|
|
the command [department] shall submit a written report to the |
|
|
governor, the lieutenant governor, the speaker of the house of |
|
|
representatives, and each standing committee of the legislature |
|
|
with primary jurisdiction over matters related to the command |
|
|
[department] evaluating information security for this state's |
|
|
information resources. In preparing the report, the command |
|
|
[department] shall consider the information security plans |
|
|
submitted by state agencies under this section, any vulnerability |
|
|
reports submitted under Section 2063.302 [2054.077], and other |
|
|
available information regarding the security of this state's |
|
|
information resources. The command [department] shall omit from |
|
|
any written copies of the report information that could expose |
|
|
specific vulnerabilities [in the security of this state's |
|
|
information resources]. |
|
|
SECTION 13. Section 2054.516, Government Code, is |
|
|
transferred to Subchapter E, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.405, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.405 [2054.516]. DATA SECURITY PLAN FOR ONLINE |
|
|
AND MOBILE APPLICATIONS. (a) Each state agency implementing an |
|
|
Internet website or mobile application that processes any sensitive |
|
|
personal or personally identifiable information or confidential |
|
|
information must: |
|
|
(1) submit a biennial data security plan to the |
|
|
command [department] not later than June 1 of each even-numbered |
|
|
year to establish planned beta testing for the website or |
|
|
application; and |
|
|
(2) subject the website or application to a |
|
|
vulnerability and penetration test and address any vulnerability |
|
|
identified in the test. |
|
|
(b) The command [department] shall review each data |
|
|
security plan submitted under Subsection (a) and make any |
|
|
recommendations for changes to the plan to the state agency as soon |
|
|
as practicable after the command [department] reviews the plan. |
|
|
SECTION 14. Section 2054.512, Government Code, is |
|
|
transferred to Subchapter E, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.406, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.406 [2054.512]. CYBERSECURITY COUNCIL. (a) The |
|
|
chief or the chief's designee [state cybersecurity coordinator] |
|
|
shall [establish and] lead a cybersecurity council that includes |
|
|
public and private sector leaders and cybersecurity practitioners |
|
|
to collaborate on matters of cybersecurity concerning this state. |
|
|
(b) The cybersecurity council must include: |
|
|
(1) one member who is an employee of the office of the |
|
|
governor; |
|
|
(2) one member of the senate appointed by the |
|
|
lieutenant governor; |
|
|
(3) one member of the house of representatives |
|
|
appointed by the speaker of the house of representatives; |
|
|
(4) one member who is an employee of the Elections |
|
|
Division of the Office of the Secretary of State; [and] |
|
|
(5) one member who is an employee of the department; |
|
|
and |
|
|
(6) additional members appointed by the chief [state |
|
|
cybersecurity coordinator], including representatives of |
|
|
institutions of higher education and private sector leaders. |
|
|
(c) Members of the cybersecurity council serve staggered |
|
|
six-year terms, with as near as possible to one-third of the |
|
|
members' terms expiring February 1 of each odd-numbered year. |
|
|
(d) In appointing representatives from institutions of |
|
|
higher education to the cybersecurity council, the chief [state |
|
|
cybersecurity coordinator] shall consider appointing members of |
|
|
the Information Technology Council for Higher Education. |
|
|
(e) [(d)] The cybersecurity council shall: |
|
|
(1) consider the costs and benefits of establishing a |
|
|
computer emergency readiness team to address cybersecurity |
|
|
incidents [cyber attacks] occurring in this state during routine |
|
|
and emergency situations; |
|
|
(2) establish criteria and priorities for addressing |
|
|
cybersecurity threats to critical state installations; |
|
|
(3) consolidate and synthesize best practices to |
|
|
assist state agencies in understanding and implementing |
|
|
cybersecurity measures that are most beneficial to this state; and |
|
|
(4) assess the knowledge, skills, and capabilities of |
|
|
the existing information technology and cybersecurity workforce to |
|
|
mitigate and respond to cyber threats and develop recommendations |
|
|
for addressing immediate workforce deficiencies and ensuring a |
|
|
long-term pool of qualified applicants. |
|
|
(f) [(e)] The chief, in collaboration with the |
|
|
cybersecurity council, shall provide recommendations to the |
|
|
legislature on any legislation necessary to implement |
|
|
cybersecurity best practices and remediation strategies for this |
|
|
state. |
|
|
SECTION 15. Section 2054.514, Government Code, is |
|
|
transferred to Subchapter E, Chapter 2063, Government Code, as |
|
|
added by this Act, redesignated as Section 2063.407, Government |
|
|
Code, and amended to read as follows: |
|
|
Sec. 2063.407 [2054.514]. RECOMMENDATIONS. The chief |
|
|
[state cybersecurity coordinator] may implement any portion, or all |
|
|
of the recommendations made by the cybersecurity council under |
|
|
Section 2063.406 [Cybersecurity, Education, and Economic |
|
|
Development Council under Subchapter N]. |
|
|
SECTION 16. Subchapter N-2, Chapter 2054, Government Code, |
|
|
is transferred to Chapter 2063, Government Code, as added by this |
|
|
Act, redesignated as Subchapter F, Chapter 2063, Government Code, |
|
|
and amended to read as follows: |
|
|
SUBCHAPTER F [N-2]. TEXAS VOLUNTEER INCIDENT RESPONSE TEAM |
|
|
Sec. 2063.501 [2054.52001]. DEFINITIONS. In this |
|
|
subchapter: |
|
|
(1) "Incident response team" means the Texas volunteer |
|
|
incident response team established under Section 2063.502 |
|
|
[2054.52002]. |
|
|
(2) "Participating entity" means a state agency, |
|
|
including an institution of higher education, or a local government |
|
|
that receives assistance under this subchapter during a |
|
|
cybersecurity incident [event]. |
|
|
(3) "Volunteer" means an individual who provides rapid |
|
|
response assistance during a cybersecurity incident [event] under |
|
|
this subchapter. |
|
|
Sec. 2063.502 [2054.52002]. ESTABLISHMENT OF TEXAS |
|
|
VOLUNTEER INCIDENT RESPONSE TEAM. (a) The command [department] |
|
|
shall establish the Texas volunteer incident response team to |
|
|
provide rapid response assistance to a participating entity under |
|
|
the command's [department's] direction during a cybersecurity |
|
|
incident [event]. |
|
|
(b) The command [department] shall prescribe eligibility |
|
|
criteria for participation as a volunteer member of the incident |
|
|
response team, including a requirement that each volunteer have |
|
|
expertise in addressing cybersecurity incidents [events]. |
|
|
Sec. 2063.503 [2054.52003]. CONTRACT WITH VOLUNTEERS. The |
|
|
command [department] shall enter into a contract with each |
|
|
volunteer the command [department] approves to provide rapid |
|
|
response assistance under this subchapter. The contract must |
|
|
require the volunteer to: |
|
|
(1) acknowledge the confidentiality of information |
|
|
required by Section 2063.510 [2054.52010]; |
|
|
(2) protect all confidential information from |
|
|
disclosure; |
|
|
(3) avoid conflicts of interest that might arise in a |
|
|
deployment under this subchapter; |
|
|
(4) comply with command [department] security |
|
|
policies and procedures regarding information resources |
|
|
technologies; |
|
|
(5) consent to background screening required by the |
|
|
command [department]; and |
|
|
(6) attest to the volunteer's satisfaction of any |
|
|
eligibility criteria established by the command [department]. |
|
|
Sec. 2063.504 [2054.52004]. VOLUNTEER QUALIFICATION. (a) |
|
|
The command [department] shall require criminal history record |
|
|
information for each individual who accepts an invitation to become |
|
|
a volunteer. |
|
|
(b) The command [department] may request other information |
|
|
relevant to the individual's qualification and fitness to serve as |
|
|
a volunteer. |
|
|
(c) The command [department] has sole discretion to |
|
|
determine whether an individual is qualified to serve as a |
|
|
volunteer. |
|
|
Sec. 2063.505 [2054.52005]. DEPLOYMENT. (a) In response |
|
|
to a cybersecurity incident [event] that affects multiple |
|
|
participating entities or a declaration by the governor of a state |
|
|
of disaster caused by a cybersecurity event, the command |
|
|
[department] on request of a participating entity may deploy |
|
|
volunteers and provide rapid response assistance under the |
|
|
command's [department's] direction and the managed security |
|
|
services framework established under Section 2063.204(c) |
|
|
[2054.0594(d)] to assist with the incident [event]. |
|
|
(b) A volunteer may only accept a deployment under this |
|
|
subchapter in writing. A volunteer may decline to accept a |
|
|
deployment for any reason. |
|
|
Sec. 2063.506 [2054.52006]. CYBERSECURITY COUNCIL |
|
|
DUTIES. The cybersecurity council established under Section |
|
|
2063.406 [2054.512] shall review and make recommendations to the |
|
|
command [department] regarding the policies and procedures used by |
|
|
the command [department] to implement this subchapter. The command |
|
|
[department] may consult with the council to implement and |
|
|
administer this subchapter. |
|
|
Sec. 2063.507 [2054.52007]. COMMAND [DEPARTMENT] POWERS |
|
|
AND DUTIES. (a) The command [department] shall: |
|
|
(1) approve the incident response tools the incident |
|
|
response team may use in responding to a cybersecurity incident |
|
|
[event]; |
|
|
(2) establish the eligibility criteria an individual |
|
|
must meet to become a volunteer; |
|
|
(3) develop and publish guidelines for operation of |
|
|
the incident response team, including the: |
|
|
(A) standards and procedures the command |
|
|
[department] uses to determine whether an individual is eligible to |
|
|
serve as a volunteer; |
|
|
(B) process for an individual to apply for and |
|
|
accept incident response team membership; |
|
|
(C) requirements for a participating entity to |
|
|
receive assistance from the incident response team; and |
|
|
(D) process for a participating entity to request |
|
|
and obtain the assistance of the incident response team; and |
|
|
(4) adopt policies [rules] necessary to implement this |
|
|
subchapter. |
|
|
(b) The command [department] may require a participating |
|
|
entity to enter into a contract as a condition for obtaining |
|
|
assistance from the incident response team. [The contract must |
|
|
comply with the requirements of Chapters 771 and 791.] |
|
|
(c) The command [department] may provide appropriate |
|
|
training to prospective and approved volunteers. |
|
|
(d) In accordance with state law, the command [department] |
|
|
may provide compensation for actual and necessary travel and living |
|
|
expenses incurred by a volunteer on a deployment using money |
|
|
available for that purpose. |
|
|
(e) The command [department] may establish a fee schedule |
|
|
for participating entities receiving incident response team |
|
|
assistance. The amount of fees collected may not exceed the |
|
|
command's [department's] costs to operate the incident response |
|
|
team. |
|
|
Sec. 2063.508 [2054.52008]. STATUS OF VOLUNTEER; |
|
|
LIABILITY. (a) A volunteer is not an agent, employee, or |
|
|
independent contractor of this state for any purpose and has no |
|
|
authority to obligate this state to a third party. |
|
|
(b) This state is not liable to a volunteer for personal |
|
|
injury or property damage sustained by the volunteer that arises |
|
|
from participation in the incident response team. |
|
|
Sec. 2063.509 [2054.52009]. CIVIL LIABILITY. A volunteer |
|
|
who in good faith provides professional services in response to a |
|
|
cybersecurity incident [event] is not liable for civil damages as a |
|
|
result of the volunteer's acts or omissions in providing the |
|
|
services, except for wilful and wanton misconduct. This immunity |
|
|
is limited to services provided during the time of deployment for a |
|
|
cybersecurity incident [event]. |
|
|
Sec. 2063.510 [2054.52010]. CONFIDENTIAL INFORMATION. |
|
|
Information written, produced, collected, assembled, or maintained |
|
|
by the command [department], a participating entity, the |
|
|
cybersecurity council, or a volunteer in the implementation of this |
|
|
subchapter is confidential and not subject to disclosure under |
|
|
Chapter 552 if the information: |
|
|
(1) contains the contact information for a volunteer; |
|
|
(2) identifies or provides a means of identifying a |
|
|
person who may, as a result of disclosure of the information, become |
|
|
a victim of a cybersecurity incident [event]; |
|
|
(3) consists of a participating entity's cybersecurity |
|
|
plans or cybersecurity-related practices; or |
|
|
(4) is obtained from a participating entity or from a |
|
|
participating entity's computer system in the course of providing |
|
|
assistance under this subchapter. |
|
|
SECTION 17. Subchapter E, Chapter 2059, Government Code, is |
|
|
transferred to Chapter 2063, Government Code, as added by this Act, |
|
|
redesignated as Subchapter G, Chapter 2063, Government Code, and |
|
|
amended to read as follows: |
|
|
SUBCHAPTER G [E]. REGIONAL [NETWORK] SECURITY OPERATIONS CENTERS |
|
|
Sec. 2063.601 [2059.201]. ELIGIBLE PARTICIPATING ENTITIES. |
|
|
A state agency or an entity listed in Section 2059.058 is eligible |
|
|
to participate in cybersecurity support and network security |
|
|
provided by a regional [network] security operations center under |
|
|
this subchapter. |
|
|
Sec. 2063.602 [2059.202]. ESTABLISHMENT OF REGIONAL |
|
|
[NETWORK] SECURITY OPERATIONS CENTERS. (a) Subject to Subsection |
|
|
(b), the command [department] may establish regional [network] |
|
|
security operations centers, under the command's [department's] |
|
|
managed security services framework established by Section |
|
|
2063.204(c) [2054.0594(d)], to assist in providing cybersecurity |
|
|
support and network security to regional offices or locations for |
|
|
state agencies and other eligible entities that elect to |
|
|
participate in and receive services through the center. |
|
|
(b) The command [department] may establish more than one |
|
|
regional [network] security operations center only if the command |
|
|
[department] determines the first center established by the command |
|
|
[department] successfully provides to state agencies and other |
|
|
eligible entities the services the center has contracted to |
|
|
provide. |
|
|
(c) The command [department] shall enter into an |
|
|
interagency contract in accordance with Chapter 771 or an |
|
|
interlocal contract in accordance with Chapter 791, as appropriate, |
|
|
with an eligible participating entity that elects to participate in |
|
|
and receive services through a regional [network] security |
|
|
operations center. |
|
|
Sec. 2063.603 [2059.203]. REGIONAL [NETWORK] SECURITY |
|
|
OPERATIONS CENTER LOCATIONS AND PHYSICAL SECURITY. (a) In |
|
|
creating and operating a regional [network] security operations |
|
|
center, the command may [department shall] partner with another [a] |
|
|
university system or institution of higher education as defined by |
|
|
Section 61.003, Education Code, other than a public junior college. |
|
|
The system or institution shall: |
|
|
(1) serve as an education partner with the command |
|
|
[department] for the regional [network] security operations |
|
|
center; and |
|
|
(2) enter into an interagency contract with the |
|
|
command [department] in accordance with Chapter 771. |
|
|
(b) In selecting the location for a regional [network] |
|
|
security operations center, the command [department] shall select a |
|
|
university system or institution of higher education that has |
|
|
supportive educational capabilities. |
|
|
(c) A university system or institution of higher education |
|
|
selected to serve as a regional [network] security operations |
|
|
center shall control and monitor all entrances to and critical |
|
|
areas of the center to prevent unauthorized entry. The system or |
|
|
institution shall restrict access to the center to only authorized |
|
|
individuals. |
|
|
(d) A local law enforcement entity or any entity providing |
|
|
security for a regional [network] security operations center shall |
|
|
monitor security alarms at the regional [network] security |
|
|
operations center subject to the availability of that service. |
|
|
(e) The command [department] and a university system or |
|
|
institution of higher education selected to serve as a regional |
|
|
[network] security operations center shall restrict operational |
|
|
information to only center personnel, except as provided by Chapter |
|
|
321. |
|
|
Sec. 2063.604 [2059.204]. REGIONAL [NETWORK] SECURITY |
|
|
OPERATIONS CENTERS SERVICES AND SUPPORT. The command [department] |
|
|
may offer the following managed security services through a |
|
|
regional [network] security operations center: |
|
|
(1) real-time network security monitoring to detect |
|
|
and respond to network security events that may jeopardize this |
|
|
state and the residents of this state; |
|
|
(2) alerts and guidance for defeating network security |
|
|
threats, including firewall configuration, installation, |
|
|
management, and monitoring, intelligence gathering, and protocol |
|
|
analysis; |
|
|
(3) immediate response to counter network security |
|
|
activity that exposes this state and the residents of this state to |
|
|
risk, including complete intrusion detection system installation, |
|
|
management, and monitoring for participating entities; |
|
|
(4) development, coordination, and execution of |
|
|
statewide cybersecurity operations to isolate, contain, and |
|
|
mitigate the impact of network security incidents for participating |
|
|
entities; and |
|
|
(5) cybersecurity educational services. |
|
|
Sec. 2063.605 [2059.205]. NETWORK SECURITY GUIDELINES AND |
|
|
STANDARD OPERATING PROCEDURES. (a) The command [department] shall |
|
|
adopt and provide to each regional [network] security operations |
|
|
center appropriate network security guidelines and standard |
|
|
operating procedures to ensure efficient operation of the center |
|
|
with a maximum return on the state's investment. |
|
|
(b) The command [department] shall revise the standard |
|
|
operating procedures as necessary to confirm network security. |
|
|
(c) Each eligible participating entity that elects to |
|
|
participate in a regional [network] security operations center |
|
|
shall comply with the network security guidelines and standard |
|
|
operating procedures. |
|
|
SECTION 18. Section 325.011, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 325.011. CRITERIA FOR REVIEW. The commission and its |
|
|
staff shall consider the following criteria in determining whether |
|
|
a public need exists for the continuation of a state agency or its |
|
|
advisory committees or for the performance of the functions of the |
|
|
agency or its advisory committees: |
|
|
(1) the efficiency and effectiveness with which the |
|
|
agency or the advisory committee operates; |
|
|
(2)(A) an identification of the mission, goals, and |
|
|
objectives intended for the agency or advisory committee and of the |
|
|
problem or need that the agency or advisory committee was intended |
|
|
to address; and |
|
|
(B) the extent to which the mission, goals, and |
|
|
objectives have been achieved and the problem or need has been |
|
|
addressed; |
|
|
(3)(A) an identification of any activities of the |
|
|
agency in addition to those granted by statute and of the authority |
|
|
for those activities; and |
|
|
(B) the extent to which those activities are |
|
|
needed; |
|
|
(4) an assessment of authority of the agency relating |
|
|
to fees, inspections, enforcement, and penalties; |
|
|
(5) whether less restrictive or alternative methods of |
|
|
performing any function that the agency performs could adequately |
|
|
protect or provide service to the public; |
|
|
(6) the extent to which the jurisdiction of the agency |
|
|
and the programs administered by the agency overlap or duplicate |
|
|
those of other agencies, the extent to which the agency coordinates |
|
|
with those agencies, and the extent to which the programs |
|
|
administered by the agency can be consolidated with the programs of |
|
|
other state agencies; |
|
|
(7) the promptness and effectiveness with which the |
|
|
agency addresses complaints concerning entities or other persons |
|
|
affected by the agency, including an assessment of the agency's |
|
|
administrative hearings process; |
|
|
(8) an assessment of the agency's rulemaking process |
|
|
and the extent to which the agency has encouraged participation by |
|
|
the public in making its rules and decisions and the extent to which |
|
|
the public participation has resulted in rules that benefit the |
|
|
public; |
|
|
(9) the extent to which the agency has complied with: |
|
|
(A) federal and state laws and applicable rules |
|
|
regarding equality of employment opportunity and the rights and |
|
|
privacy of individuals; and |
|
|
(B) state law and applicable rules of any state |
|
|
agency regarding purchasing guidelines and programs for |
|
|
historically underutilized businesses; |
|
|
(10) the extent to which the agency issues and |
|
|
enforces rules relating to potential conflicts of interest of its |
|
|
employees; |
|
|
(11) the extent to which the agency complies with |
|
|
Chapters 551 and 552 and follows records management practices that |
|
|
enable the agency to respond efficiently to requests for public |
|
|
information; |
|
|
(12) the effect of federal intervention or loss of |
|
|
federal funds if the agency is abolished; |
|
|
(13) the extent to which the purpose and effectiveness |
|
|
of reporting requirements imposed on the agency justifies the |
|
|
continuation of the requirement; and |
|
|
(14) an assessment of the agency's cybersecurity |
|
|
practices using confidential information available from the |
|
|
Department of Information Resources, the Texas Cyber Command, or |
|
|
any other appropriate state agency. |
|
|
SECTION 19. Section 11.175(h-1), Education Code, is amended |
|
|
to read as follows: |
|
|
(h-1) Notwithstanding Section 2063.103 [2054.5191], |
|
|
Government Code, only the district's cybersecurity coordinator is |
|
|
required to complete the cybersecurity training under that section |
|
|
on an annual basis. Any other school district employee required to |
|
|
complete the cybersecurity training shall complete the training as |
|
|
determined by the district, in consultation with the district's |
|
|
cybersecurity coordinator. |
|
|
SECTION 20. Section 38.307(e), Education Code, is amended |
|
|
to read as follows: |
|
|
(e) The agency shall maintain the data collected by the task |
|
|
force and the work product of the task force in accordance with: |
|
|
(1) the agency's information security plan under |
|
|
Section 2063.403 [2054.133], Government Code; and |
|
|
(2) the agency's records retention schedule under |
|
|
Section 441.185, Government Code. |
|
|
SECTION 21. Section 61.003(6), Education Code, is amended |
|
|
to read as follows: |
|
|
(6) "Other agency of higher education" means The |
|
|
University of Texas System, System Administration; The University |
|
|
of Texas at El Paso Museum; Texas Epidemic Public Health Institute |
|
|
at The University of Texas Health Science Center at Houston; the |
|
|
Texas Cyber Command; The Texas A&M University System, |
|
|
Administrative and General Offices; Texas A&M AgriLife Research; |
|
|
Texas A&M AgriLife Extension Service; Rodent and Predatory Animal |
|
|
Control Service (a part of the Texas A&M AgriLife Extension |
|
|
Service); Texas A&M Engineering Experiment Station (including the |
|
|
Texas A&M Transportation Institute); Texas A&M Engineering |
|
|
Extension Service; Texas A&M Forest Service; Texas Division of |
|
|
Emergency Management; Texas Tech University Museum; Texas State |
|
|
University System, System Administration; Sam Houston Memorial |
|
|
Museum; Panhandle-Plains Historical Museum; Cotton Research |
|
|
Committee of Texas; Texas Water Resources Institute; Texas A&M |
|
|
Veterinary Medical Diagnostic Laboratory; and any other unit, |
|
|
division, institution, or agency which shall be so designated by |
|
|
statute or which may be established to operate as a component part |
|
|
of any public senior college or university, or which may be so |
|
|
classified as provided in this chapter. |
|
|
SECTION 22. Section 65.02(a), Education Code, is amended to |
|
|
read as follows: |
|
|
(a) The University of Texas System is composed of the |
|
|
following institutions and entities: |
|
|
(1) The University of Texas at Arlington; |
|
|
(2) The University of Texas at Austin; |
|
|
(3) The University of Texas at Dallas; |
|
|
(4) The University of Texas at El Paso; |
|
|
(5) The University of Texas Permian Basin; |
|
|
(6) The University of Texas at San Antonio; |
|
|
(7) The University of Texas Southwestern Medical |
|
|
Center; |
|
|
(8) The University of Texas Medical Branch at |
|
|
Galveston; |
|
|
(9) The University of Texas Health Science Center at |
|
|
Houston; |
|
|
(10) The University of Texas Health Science Center at |
|
|
San Antonio; |
|
|
(11) The University of Texas M. D. Anderson Cancer |
|
|
Center; |
|
|
(12) Stephen F. Austin State University, a member of |
|
|
The University of Texas System; |
|
|
(13) The University of Texas at Tyler; [and] |
|
|
(14) The University of Texas Rio Grande Valley; and |
|
|
(15) the Texas Cyber Command (Chapter 2063, Government |
|
|
Code). |
|
|
SECTION 23. Sections 772.012(b) and (c), Government Code, |
|
|
are amended to read as follows: |
|
|
(b) To apply for a grant under this chapter, a local |
|
|
government must submit with the grant application a written |
|
|
certification of the local government's compliance with the |
|
|
cybersecurity training required by Section 2063.103 [2054.5191]. |
|
|
(c) On a determination by the criminal justice division |
|
|
established under Section 772.006 that a local government awarded a |
|
|
grant under this chapter has not complied with the cybersecurity |
|
|
training required by Section 2063.103 [2054.5191], the local |
|
|
government shall pay to this state an amount equal to the amount of |
|
|
the grant award. A local government that is the subject of a |
|
|
determination described by this subsection is ineligible for |
|
|
another grant under this chapter until the second anniversary of |
|
|
the date the local government is determined ineligible. |
|
|
SECTION 24. Section 2054.0701(c), Government Code, is |
|
|
amended to read as follows: |
|
|
(c) A program offered under this section must: |
|
|
(1) be approved by the Texas Higher Education |
|
|
Coordinating Board in accordance with Section 61.0512, Education |
|
|
Code; |
|
|
(2) develop the knowledge and skills necessary for an |
|
|
entry-level information technology position in a state agency; and |
|
|
(3) include a one-year apprenticeship with: |
|
|
(A) the department; |
|
|
(B) another relevant state agency; |
|
|
(C) an organization working on a major |
|
|
information resources project; or |
|
|
(D) a regional network security center |
|
|
established under Section 2063.602 [2059.202]. |
|
|
SECTION 25. Section 2056.002(b), Government Code, is |
|
|
amended to read as follows: |
|
|
(b) The Legislative Budget Board and the governor's office |
|
|
shall determine the elements required to be included in each |
|
|
agency's strategic plan. Unless modified by the Legislative Budget |
|
|
Board and the governor's office, and except as provided by |
|
|
Subsection (c), a plan must include: |
|
|
(1) a statement of the mission and goals of the state |
|
|
agency; |
|
|
(2) a description of the indicators developed under |
|
|
this chapter and used to measure the output and outcome of the |
|
|
agency; |
|
|
(3) identification of the groups of people served by |
|
|
the agency, including those having service priorities, or other |
|
|
service measures established by law, and estimates of changes in |
|
|
those groups expected during the term of the plan; |
|
|
(4) an analysis of the use of the agency's resources to |
|
|
meet the agency's needs, including future needs, and an estimate of |
|
|
additional resources that may be necessary to meet future needs; |
|
|
(5) an analysis of expected changes in the services |
|
|
provided by the agency because of changes in state or federal law; |
|
|
(6) a description of the means and strategies for |
|
|
meeting the agency's needs, including future needs, and achieving |
|
|
the goals established under Section 2056.006 for each area of state |
|
|
government for which the agency provides services; |
|
|
(7) a description of the capital improvement needs of |
|
|
the agency during the term of the plan and a statement, if |
|
|
appropriate, of the priority of those needs; |
|
|
(8) identification of each geographic region of this |
|
|
state, including the Texas-Louisiana border region and the |
|
|
Texas-Mexico border region, served by the agency, and if |
|
|
appropriate the agency's means and strategies for serving each |
|
|
region; |
|
|
(9) a description of the training of the agency's |
|
|
contract managers under Section 656.052; |
|
|
(10) an analysis of the agency's expected expenditures |
|
|
that relate to federally owned or operated military installations |
|
|
or facilities, or communities where a federally owned or operated |
|
|
military installation or facility is located; |
|
|
(11) an analysis of the strategic use of information |
|
|
resources as provided by the instructions prepared under Section |
|
|
2054.095; |
|
|
(12) a written certification of the agency's |
|
|
compliance with the cybersecurity training required under Sections |
|
|
2063.103 [2054.5191] and 2063.104 [2054.5192]; and |
|
|
(13) other information that may be required. |
|
|
SECTION 26. (a) In this section, "department" means the |
|
|
Department of Information Resources. |
|
|
(b) On the effective date of this Act: |
|
|
(1) the Texas Cyber Command, organized as provided by |
|
|
Section 2063.002, Government Code, as added by this Act, is created |
|
|
with the powers and duties assigned by Chapter 2063, Government |
|
|
Code, as added by this Act; and |
|
|
(2) the chief information security officer of the |
|
|
department becomes the chief of the Texas Cyber Command, as |
|
|
described by Section 2063.0025, Government Code, as added by this |
|
|
Act. |
|
|
(c) Notwithstanding Subsection (b) of this section, the |
|
|
department shall continue to perform duties and exercise powers |
|
|
under Chapter 2054, Government Code, as that law existed |
|
|
immediately before the effective date of this Act, until the date |
|
|
provided by the memorandum of understanding entered into under |
|
|
Subsection (e) of this section. |
|
|
(d) Not later than December 31, 2026: |
|
|
(1) all functions and activities performed by the |
|
|
department that relate to cybersecurity under Chapter 2063, |
|
|
Government Code, as added by this Act, are transferred to the Texas |
|
|
Cyber Command; |
|
|
(2) all employees of the department who primarily |
|
|
perform duties related to cybersecurity, including employees who |
|
|
provide administrative support for those services, under Chapter |
|
|
2063, Government Code, as added by this Act, become employees of the |
|
|
Texas Cyber Command, but continue to work in the same physical |
|
|
location unless moved in accordance with the memorandum of |
|
|
understanding entered into under Subsection (e) of this section; |
|
|
(3) a rule or form adopted by the department that |
|
|
relates to cybersecurity under Chapter 2063, Government Code, as |
|
|
added by this Act, is a rule or form of the Texas Cyber Command and |
|
|
remains in effect until changed by the command; |
|
|
(4) a reference in law to the department that relates |
|
|
to cybersecurity under Chapter 2063, Government Code, as added by |
|
|
this Act, means the Texas Cyber Command; |
|
|
(5) a contract negotiation or other proceeding |
|
|
involving the department that is related to cybersecurity under |
|
|
Chapter 2063, Government Code, as added by this Act, is transferred |
|
|
without change in status to the Texas Cyber Command, and the Texas |
|
|
Cyber Command assumes, without a change in status, the position of |
|
|
the department in a negotiation or proceeding relating to |
|
|
cybersecurity to which the department is a party; |
|
|
(6) all money, contracts, leases, rights, and |
|
|
obligations of the department related to cybersecurity under |
|
|
Chapter 2063, Government Code, as added by this Act, are |
|
|
transferred to the Texas Cyber Command; |
|
|
(7) all property, including records, in the custody of |
|
|
the department related to cybersecurity under Chapter 2063, |
|
|
Government Code, as added by this Act, becomes property of the Texas |
|
|
Cyber Command, but stays in the same physical location unless moved |
|
|
in accordance with the specific steps and methods created under |
|
|
Subsection (e) of this section; and |
|
|
(8) all funds appropriated by the legislature to the |
|
|
department for purposes related to cybersecurity, including funds |
|
|
for providing administrative support, under Chapter 2063, |
|
|
Government Code, as added by this Act, are transferred to the Texas |
|
|
Cyber Command. |
|
|
(e) Not later than January 1, 2026, the department and the |
|
|
board of regents of The University of Texas System shall enter into |
|
|
a memorandum of understanding relating to the transfer of powers |
|
|
and duties from the department to the Texas Cyber Command as |
|
|
provided by this Act. The memorandum must include: |
|
|
(1) a timetable and specific steps and methods for the |
|
|
transfer of all powers, duties, obligations, rights, contracts, |
|
|
leases, records, real or personal property, and unspent and |
|
|
unobligated appropriations and other funds relating to the |
|
|
administration of the powers and duties as provided by this Act; |
|
|
(2) measures to ensure against any unnecessary |
|
|
disruption to cybersecurity operations during the transfer |
|
|
process; and |
|
|
(3) a provision that the terms of any memorandum of |
|
|
understanding entered into related to the transfer remain in effect |
|
|
until the transfer is completed. |
|
|
SECTION 27. This Act takes effect September 1, 2025. |