89R12748 LRM-F
 
  By: Capriglione H.B. No. 150
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the establishment of the Texas Cyber Command as a
  component institution of The University of Texas System and the
  transfer to it of certain powers and duties of the Department of
  Information Resources.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subtitle B, Title 10, Government Code, is
  amended by adding Chapter 2063 to read as follows:
  CHAPTER 2063. TEXAS CYBER COMMAND
  SUBCHAPTER A. GENERAL PROVISIONS
         Sec. 2063.001.  DEFINITIONS. In this chapter:
               (1)  "Chief" means the chief of the Texas Cyber
  Command.
               (2)  "Command" means the Texas Cyber Command
  established under this chapter.
               (3)  "Covered entity" means a private entity operating
  critical infrastructure or a local government that the command
  contracts with in order to provide cybersecurity services under
  this chapter.
               (4)  "Critical infrastructure" means infrastructure in
  this state vital to the security, governance, public health and
  safety, economy, or morale of the state or the nation, including:
                     (A)  chemical facilities;
                     (B)  commercial facilities;
                     (C)  communication facilities;
                     (D)  manufacturing facilities;
                     (E)  dams;
                     (F)  defense industrial bases;
                     (G)  emergency services systems;
                     (H)  energy facilities;
                     (I)  financial services systems;
                     (J)  food and agriculture facilities;
                     (K)  government facilities;
                     (L)  health care and public health facilities;
                     (M)  information technology and information
  technology systems;
                     (N)  nuclear reactors, materials, and waste;
                     (O)  transportation systems; or
                     (P)  water and wastewater systems.
               (5)  "Cybersecurity" means the measures taken to
  protect a computer, computer network, computer system, or other
  technology infrastructure against unauthorized:
                     (A)  use, access, disruption, modification, or
  destruction; or
                     (B)  disclosure, modification, or destruction of
  information.
               (6)  "Cybersecurity incident" includes:
                     (A)  a breach or suspected breach of system
  security as defined by Section 521.053, Business & Commerce Code;
                     (B)  the introduction of ransomware, as defined by
  Section 33.023, Penal Code, into a computer, computer network, or
  computer system; or
                     (C)  any other cybersecurity-related occurrence
  that jeopardizes information or an information system designated by
  command policy adopted under this chapter.
               (7)  "Department" means the Department of Information
  Resources.
               (8)  "Governmental entity" means this state, a state
  agency, or a local government.
               (9)  "Information resources" has the meaning assigned
  by Section 2054.003, Government Code.
               (10)  "Information resources technologies" has the
  meaning assigned by Section 2054.003.
               (11)  "Local government" has the meaning assigned by
  Section 2054.003.
               (12)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
               (13)  "State agency" means:
                     (A)  a department, commission, board, office, or
  other agency that is in the executive or legislative branch of state
  government and that was created by the constitution or a statute;
                     (B)  the supreme court, the court of criminal
  appeals, a court of appeals, a district court, or the Texas Judicial
  Council or another agency in the judicial branch of state
  government; or
                     (C)  a university system or an institution of
  higher education as defined by Section 61.003, Education Code.
         Sec. 2063.002.  ORGANIZATION. (a) The Texas Cyber Command
  is a component of The University of Texas System and
  administratively attached to The University of Texas at San
  Antonio.
         (b)  The command is managed by a chief appointed by the
  governor and confirmed with the advice and consent of the senate.  
  The chief serves at the pleasure of the governor and must possess
  professional training and knowledge relevant to the functions and
  duties of the command.
         (c)  The command shall employ other coordinating and
  planning officers and other personnel necessary to the performance
  of its functions.
         (d)  Under an agreement with the command, The University of
  Texas at San Antonio shall provide administrative support services
  for the command as necessary to carry out the purposes of this
  chapter.
         Sec. 2063.003.  ESTABLISHMENT AND PURPOSE. (a) The command
  is established to prevent and respond to cybersecurity incidents
  that affect governmental entities and critical infrastructure in
  this state.
         (b)  The command is responsible for cybersecurity for this
  state, including:
               (1)  developing tools to enhance cybersecurity
  defenses;
               (2)  facilitating education and training of a
  cybersecurity workforce;
               (3)  in collaboration with the department,
  establishing appropriate cybersecurity standards; and
               (4)  creating partnerships needed to effectively carry
  out the command's functions.
         Sec. 2063.004.  GENERAL POWERS AND DUTIES. (a) The command
  shall:
               (1)  promote public awareness of cybersecurity issues;
               (2)  develop cybersecurity best practices and minimum
  standards for governmental entities;
               (3)  develop and provide training to state agencies and
  covered entities on cybersecurity measures and awareness;
               (4)  administer the cybersecurity threat intelligence
  center under Section 2063.201;
               (5)  provide support to state agencies and covered
  entities experiencing a cybersecurity incident;
               (6)  administer the digital forensics laboratory under
  Section 2063.203;
               (7)  administer a statewide portal for enterprise
  cybersecurity threat, risk, and incident management, and operate a
  cybersecurity hotline available for state agencies and covered
  entities 24 hours a day, seven days a week;
               (8)  collaborate with law enforcement agencies to
  provide training and support related to cybersecurity incidents;
               (9)  serve as a clearinghouse for information relating
  to all aspects of protecting the cybersecurity of governmental
  entities, including sharing appropriate intelligence and
  information with governmental entities, federal agencies, and
  covered entities;
               (10)  collaborate with the department to ensure
  information resources and information resources technologies
  obtained by the department meet the cybersecurity standards and
  requirements established under this chapter;
               (11)  offer cybersecurity resources to state agencies
  and covered entities as determined by the command; and
               (12)  adopt policies to ensure state agencies implement
  sufficient cybersecurity measures to defend information resources,
  information resources technologies, and sensitive personal
  information maintained by the agencies.
         (b)  The command may:
               (1)  adopt and enforce policies necessary to carry out
  this chapter;
               (2)  adopt and use an official seal;
               (3)  establish ad hoc advisory committees as necessary
  to carry out the command's duties under this chapter;
               (4)  acquire and convey property or an interest in
  property;
               (5)  procure insurance and pay premiums on insurance of
  any type, in accounts, and from insurers as the command considers
  necessary and advisable to accomplish any of the command's duties;
  and
               (6)  hold patents, copyrights, trademarks, or other
  evidence of protection or exclusivity issued under the laws of the
  United States, any state, or any nation and may enter into license
  agreements with any third parties for the receipt of fees,
  royalties, or other monetary or nonmonetary value.
         (c)  Except as otherwise provided by this chapter, the
  command shall deposit money paid to the command under this chapter
  in the state treasury to the credit of the general revenue fund.
         Sec. 2063.005.  COST RECOVERY. The command shall recover
  the cost of providing direct technical assistance, training
  services, and other services to covered entities when reasonable
  and practical.
         Sec. 2063.007.  EMERGENCY PURCHASING. In the event the
  emergency response to a cybersecurity incident requires the command
  to purchase an item, the command is exempt from the requirements of
  Sections 2155.0755, 2155.083, and 2155.132(c) in making the
  purchase.
         Sec. 2063.008.  RULES. The governor may adopt rules
  necessary for carrying out the purposes of this chapter.
         Sec. 2063.009.  APPLICATION OF SUNSET ACT. The command is
  subject to Chapter 325 (Texas Sunset Act). Unless continued in
  existence as provided by that chapter, the command is abolished
  September 1, 2035.
  SUBCHAPTER B. MINIMUM STANDARDS AND TRAINING
         Sec. 2063.101.  BEST PRACTICES AND MINIMUM STANDARDS FOR
  CYBERSECURITY AND TRAINING. (a) The command shall develop and
  annually assess best practices and minimum standards for use by
  governmental entities to enhance the security of information
  resources in this state.
         (b)  The command shall establish and periodically assess
  mandatory cybersecurity training that must be completed by all
  information resources employees of state agencies. The command
  shall consult with the Information Technology Council for Higher
  Education established under Section 2054.121 regarding applying
  the training requirements to employees of institutions of higher
  education.
         (c)  The command shall adopt policies to ensure governmental
  entities are complying with the requirements of this section.
  SUBCHAPTER C.  CYBERSECURITY PREVENTION, RESPONSE, AND RECOVERY
         Sec. 2063.201.  CYBERSECURITY THREAT INTELLIGENCE CENTER.
  (a) In this section, "center" means the cybersecurity threat
  intelligence center established under this section.
         (b)  The command shall establish a cybersecurity threat
  intelligence center.  The center, in coordination with the
  department, shall:
               (1)  operate the information sharing and analysis
  organization established under Section 2063.204; and
               (2)  use regional security operations centers
  established under Subchapter G and the cybersecurity incident
  response unit under Section 2063.202 to assist governmental
  entities in responding to a cybersecurity incident.
         (c)  The chief may employ a director for the center.
         Sec. 2063.202.  CYBERSECURITY INCIDENT RESPONSE UNIT. (a)
  The command shall establish a dedicated cybersecurity incident
  response unit to:
               (1)  detect and contain cybersecurity incidents in
  collaboration with the cybersecurity threat intelligence center
  under Section 2063.201;
               (2)  engage in threat neutralization, including
  removing malware, disallowing unauthorized access, and patching
  vulnerabilities in information resources technologies;
               (3)  in collaboration with the digital forensics
  laboratory under Section 2063.203, undertake mitigation efforts if
  sensitive personal information is breached during a cybersecurity
  incident;
               (4)  loan resources to state agencies and covered
  entities to promote continuity of operations while the agency or
  entity restores the systems affected by a cybersecurity incident;
               (5)  assist in the restoration of information resources
  and information resources technologies after a cybersecurity
  incident and conduct post-incident monitoring;
               (6)  in collaboration with the cybersecurity threat
  intelligence center under Section 2063.201 and digital forensics
  laboratory under Section 2063.203, identify weaknesses, establish
  risk mitigation options and effective vulnerability-reduction
  strategies, and make recommendations to state agencies and covered
  entities that have been the target of a cybersecurity attack or have
  experienced a cybersecurity incident in order to remediate
  identified cybersecurity vulnerabilities;
               (7)  in collaboration with the cybersecurity threat
  intelligence center under Section 2063.201, the digital forensics
  laboratory under Section 2063.203, the Texas Division of Emergency
  Management, and other state agencies, conduct, support, and
  participate in cyber-related exercises; and
               (8)  undertake any other activities necessary to carry
  out the duties described by this subsection.
         (b)  The chief shall employ a director for the cybersecurity
  incident response unit.
         Sec. 2063.203.  DIGITAL FORENSICS LABORATORY. (a) The
  command shall establish a digital forensics laboratory to:
               (1)  in collaboration with the cybersecurity incident
  response unit under Section 2063.202, develop procedures to:
                     (A)  preserve evidence of a cybersecurity
  incident, including logs and communication;
                     (B)  document chains of custody; and
                     (C)  timely notify and maintain contact with the
  appropriate law enforcement agencies investigating a cybersecurity
  incident;
               (2)  develop and share with relevant state agencies and
  covered entities cyber threat hunting tools and procedures to
  assist in identifying indicators of a compromise in the
  cybersecurity of state information systems and non-state
  information systems, as appropriate, for proactive discovery of
  latent intrusions;
               (3)  conduct analyses of causes of cybersecurity
  incidents and of remediation options;
               (4)  conduct assessments of the scope of harm caused by
  cybersecurity incidents, including data loss, compromised systems,
  and system disruptions;
               (5)  provide information and training to state agencies
  and covered entities on producing reports required by regulatory
  and auditing bodies;
               (6)  in collaboration with the Department of Public
  Safety, the Texas Military Department, the office of the attorney
  general, and other state agencies, provide forensic analysis of a
  cybersecurity incident to support an investigation, attribution
  process, or other law enforcement or judicial action; and
               (7)  undertake any other activities necessary to carry
  out the duties described by this subsection.
         (b)  The chief shall employ a director for the digital
  forensics laboratory.
         Sec. 2063.205.  POLICIES. The command shall adopt policies
  and procedures necessary to enable the entities established in this
  subchapter to carry out their respective duties and purposes.
  SUBCHAPTER E. CYBERSECURITY PREPARATION AND PLANNING
         Sec. 2063.404.  ONGOING INFORMATION TRANSMISSIONS.
  Information received from state agencies by the department under
  Section 2054.069 shall be transmitted by the department to the
  command on an ongoing basis.
         SECTION 2.  Section 2054.510, Government Code, is
  transferred to Subchapter A, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.0025, Government
  Code, and amended to read as follows:
         Sec. 2063.0025 [2054.510].  COMMAND CHIEF [INFORMATION
  SECURITY OFFICER]. (a)  In this section, "state cybersecurity
  [information security] program" means the policies, standards,
  procedures, elements, structure, strategies, objectives, plans,
  metrics, reports, services, and resources that establish the
  cybersecurity [information resources security] function for this
  state.
         (b)  The chief directs the day-to-day operations and
  policies of the command and oversees and is responsible for all
  functions and duties of the command.  [The executive director,
  using existing funds, shall employ a chief information security
  officer.]
         (c)  The chief [information security officer] shall oversee
  cybersecurity matters for this state including:
               (1)  implementing the duties described by Section
  2063.004 [2054.059];
               (2)  [responding to reports received under Section
  2054.1125;
               [(3)]  developing a statewide cybersecurity
  [information security] framework;
               (3) [(4)]  overseeing the development of cybersecurity
  [statewide information security] policies and standards;
               (4) [(5)]  collaborating with [state agencies, local]
  governmental entities[,] and other entities operating or
  exercising control over state information systems or
  state-controlled data critical to strengthen this state's
  cybersecurity and information security policies, standards, and
  guidelines;
               (5) [(6)]  overseeing the implementation of the
  policies, standards, and requirements [guidelines] developed under
  this chapter [Subdivisions (3) and (4)];
               (6) [(7)]  providing cybersecurity [information
  security] leadership, strategic direction, and coordination for
  the state cybersecurity [information security] program;
               (7) [(8)]  providing strategic direction to:
                     (A)  the network security center established
  under Section 2059.101; and
                     (B)  regional security operations [statewide
  technology] centers operated under Subchapter G [L]; and
               (8) [(9)]  overseeing the preparation and submission
  of the report described by Section 2063.301 [2054.0591].
         SECTION 3.  Section 2054.0592, Government Code, is
  transferred to Subchapter A, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.006, Government
  Code, and amended to read as follows:
         Sec. 2063.006 [2054.0592].  CYBERSECURITY EMERGENCY
  FUNDING. If a cybersecurity event creates a need for emergency
  funding, the command [department] may request that the governor or
  Legislative Budget Board make a proposal under Chapter 317 to
  provide funding to manage the operational and financial impacts
  from the cybersecurity event.
         SECTION 4.  Section 2054.519, Government Code, is
  transferred to Subchapter B, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.102, Government
  Code, and amended to read as follows:
         Sec. 2063.102 [2054.519].  STATE CERTIFIED CYBERSECURITY
  TRAINING PROGRAMS. (a) The command [department], in consultation
  with the cybersecurity council established under Section 2063.406
  [2054.512] and industry stakeholders, shall annually:
               (1)  certify at least five cybersecurity training
  programs for state and local government employees; and
               (2)  update standards for maintenance of certification
  by the cybersecurity training programs under this section.
         (b)  To be certified under Subsection (a), a cybersecurity
  training program must:
               (1)  focus on forming appropriate cybersecurity
  [information security] habits and procedures that protect
  information resources; and
               (2)  teach best practices and minimum standards
  established under this subchapter [for detecting, assessing,
  reporting, and addressing information security threats].
         (c)  The command [department] may identify and certify under
  Subsection (a) training programs provided by state agencies and
  local governments that satisfy the training requirements described
  by Subsection (b).
         (d)  The command [department] may contract with an
  independent third party to certify cybersecurity training programs
  under this section.
         (e)  The command [department] shall annually publish on the
  command's [department's] Internet website the list of cybersecurity
  training programs certified under this section.
         SECTION 5.  Section 2054.5191, Government Code, is
  transferred to Subchapter B, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.103, Government
  Code, and amended to read as follows:
         Sec. 2063.103 [2054.5191].  CYBERSECURITY TRAINING REQUIRED
  [: CERTAIN EMPLOYEES AND OFFICIALS].  (a)  Each elected or appointed
  official and employee of a governmental entity who has access to the
  entity's information resources or information resources
  technologies [state agency shall identify state employees who use a
  computer to complete at least 25 percent of the employee's required
  duties.  At least once each year, an employee identified by the
  state agency and each elected or appointed officer of the agency]
  shall annually complete a cybersecurity training program certified
  under Section 2063.102 [2054.519].
         (b)  [(a-1)  At least once each year, a local government
  shall:
               [(1)  identify local government employees and elected
  and appointed officials who have access to a local government
  computer system or database and use a computer to perform at least
  25 percent of the employee's or official's required duties; and
               [(2)  require the employees and officials identified
  under Subdivision (1) to complete a cybersecurity training program
  certified under Section 2054.519.
         [(a-2)]  The governing body of a governmental entity [local
  government] or the governing body's designee may deny access to the
  governmental entity's information resources or information
  resources technologies [local government's computer system or
  database] to an employee or official [individual described by
  Subsection (a-1)(1)] who [the governing body or the governing
  body's designee determines] is noncompliant with the requirements
  of Subsection (a) [(a-1)(2)].
         (c) [(b)]  The governing body of a local government may
  select the most appropriate cybersecurity training program
  certified under Section 2063.102 [2054.519] for employees and
  officials of the local government to complete.  The governing body
  shall:
               (1)  verify and report on the completion of a
  cybersecurity training program by employees and officials of the
  local government to the command [department]; and
               (2)  require periodic audits to ensure compliance with
  this section.
         (d) [(c)]  A state agency may select the most appropriate
  cybersecurity training program certified under Section 2063.102
  [2054.519] for employees and officials of the state agency.  The
  executive head of each state agency shall verify completion of a
  cybersecurity training program by employees and officials of the
  state agency in a manner specified by the command [department].
         (e) [(d)]  The executive head of each state agency shall
  periodically require an internal review of the agency to ensure
  compliance with this section.
         (f) [(e)]  The command [department] shall develop a form for
  use by governmental entities [state agencies and local governments]
  in verifying completion of cybersecurity training program
  requirements under this section.  The form must allow the state
  agency and local government to indicate the percentage of employee
  and official completion.
         (g) [(f)]  The requirements of Subsection [Subsections] (a)
  [and (a-1)] do not apply to employees and officials who have been:
               (1)  granted military leave;
               (2)  granted leave under the federal Family and Medical
  Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);
               (3)  granted leave related to a sickness or disability
  covered by workers' compensation benefits, if that employee or
  official no longer has access to the governmental entity's
  information resources or information resources technologies [state
  agency's or local government's database and systems];
               (4)  granted any other type of extended leave or
  authorization to work from an alternative work site if that
  employee or official no longer has access to the governmental
  entity's information resources or information resources
  technologies [state agency's or local government's database and
  systems]; or
               (5)  denied access to a governmental entity's
  information resources or information resources technologies [local
  government's computer system or database by the governing body of
  the local government or the governing body's designee] under
  Subsection (b) [(a-2)] for noncompliance with the requirements of
  Subsection (a) [(a-1)(2)].
         SECTION 6.  Section 2054.5192, Government Code, is
  transferred to Subchapter B, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.104, Government
  Code, and amended to read as follows:
         Sec. 2063.104  [2054.5192].  CYBERSECURITY TRAINING
  REQUIRED: CERTAIN STATE CONTRACTORS.  (a)  In this section,
  "contractor" includes a subcontractor, officer, or employee of the
  contractor.
         (b)  A state agency shall require any contractor who has
  access to a state computer system or database to complete a
  cybersecurity training program certified under Section 2063.102
  [2054.519] as selected by the agency.
         (c)  The cybersecurity training program must be completed by
  a contractor during the term of the contract and during any renewal
  period.
         (d)  Required completion of a cybersecurity training program
  must be included in the terms of a contract awarded by a state
  agency to a contractor.
         (e)  A contractor required to complete a cybersecurity
  training program under this section shall verify completion of the
  program to the contracting state agency.  The person who oversees
  contract management for the agency shall:
               (1)  not later than August 31 of each year, report the
  contractor's completion to the command [department]; and
               (2)  periodically review agency contracts to ensure
  compliance with this section.
         SECTION 7.  Section 2054.0594, Government Code, is
  transferred to Subchapter C, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.204, Government
  Code, and amended to read as follows:
         Sec. 2063.204  [2054.0594].  INFORMATION SHARING AND
  ANALYSIS ORGANIZATION. (a)  The command [department] shall
  establish an information sharing and analysis organization to
  provide a forum for state agencies, local governments, public and
  private institutions of higher education, and the private sector to
  share information regarding cybersecurity threats, best practices,
  and remediation strategies.
         (b)  [The department shall provide administrative support to
  the information sharing and analysis organization.
         [(c)]  A participant in the information sharing and analysis
  organization shall assert any exception available under state or
  federal law, including Section 552.139, in response to a request
  for public disclosure of information shared through the
  organization.  Section 552.007 does not apply to information
  described by this subsection.
         (c) [(d)]  The command [department] shall establish a
  framework for regional cybersecurity task forces [working groups]
  to execute mutual aid agreements that allow state agencies, local
  governments, regional planning commissions, public and private
  institutions of higher education, the private sector, the regional
  security operations centers under Subchapter G, and the
  cybersecurity incident response unit under Section 2063.202 [and
  the incident response team established under Subchapter N-2] to
  assist with responding to a cybersecurity incident [event] in this
  state.  A task force [working group] may be established within the
  geographic area of a regional planning commission established under
  Chapter 391, Local Government Code.  The task force [working group]
  may establish a list of available cybersecurity experts and share
  resources to assist in responding to the cybersecurity incident
  [event] and recovery from the incident [event].
         SECTION 8.  Chapter 2063, Government Code, as added by this
  Act, is amended by adding Subchapter D, and a heading is added to
  that subchapter to read as follows:
  SUBCHAPTER D.  REPORTING
         SECTION 9.  Sections 2054.0591 and 2054.077, Government
  Code, are transferred to Subchapter D, Chapter 2063, Government
  Code, as added by this Act, redesignated as Sections 2063.301 and
  2063.302, Government Code, respectively, and amended to read as
  follows:
         Sec. 2063.301  [2054.0591].  CYBERSECURITY REPORT.  (a)  Not
  later than November 15 of each even-numbered year, the command
  [department] shall submit to the governor, the lieutenant governor,
  the speaker of the house of representatives, and the standing
  committee of each house of the legislature with primary
  jurisdiction over state government operations a report identifying
  preventive and recovery efforts the state can undertake to improve
  cybersecurity in this state.  The report must include:
               (1)  an assessment of the resources available to
  address the operational and financial impacts of a cybersecurity
  event;
               (2)  a review of existing statutes regarding
  cybersecurity and information resources technologies; and
               (3)  recommendations for legislative action to
  increase the state's cybersecurity and protect against adverse
  impacts from a cybersecurity incident [event; and
               [(4)  an evaluation of a program that provides an
  information security officer to assist small state agencies and
  local governments that are unable to justify hiring a full-time
  information security officer].
         (b)  Not later than October 1 of each even-numbered year, the
  command shall submit a report to the Legislative Budget Board that
  prioritizes, for the purpose of receiving funding, state agency
  cybersecurity projects. Each state agency shall coordinate with the
  command to implement this subsection.
         (c) [(b)]  The command [department] or a recipient of a
  report under this section may redact or withhold information
  confidential under Chapter 552, including Section 552.139, or other
  state or federal law that is contained in the report in response to
  a request under Chapter 552 without the necessity of requesting a
  decision from the attorney general under Subchapter G, Chapter 552.
  The disclosure of information under this section is not a voluntary
  disclosure for purposes of Section 552.007.
         Sec. 2063.302  [2054.077].  VULNERABILITY REPORTS.  (a)  In
  this section, a term defined by Section 33.01, Penal Code, has the
  meaning assigned by that section.
         (b)  The information security officer of a state agency shall
  prepare or have prepared a report, including an executive summary
  of the findings of the biennial report, not later than June 1 of
  each even-numbered year, assessing the extent to which a computer,
  a computer program, a computer network, a computer system, a
  printer, an interface to a computer system, including mobile and
  peripheral devices, computer software, or data processing of the
  agency or of a contractor of the agency is vulnerable to
  unauthorized access or harm, including the extent to which the
  agency's or contractor's electronically stored information is
  vulnerable to alteration, damage, erasure, or inappropriate use.
         (c)  Except as provided by this section, a vulnerability
  report and any information or communication prepared or maintained
  for use in the preparation of a vulnerability report is
  confidential and is not subject to disclosure under Chapter 552.
         (d)  The information security officer shall provide an
  electronic copy of the vulnerability report on its completion to:
               (1)  the command [department];
               (2)  the state auditor;
               (3)  the agency's executive director;
               (4)  the agency's designated information resources
  manager; and
               (5)  any other information technology security
  oversight group specifically authorized by the legislature to
  receive the report.
         (e)  Separate from the executive summary described by
  Subsection (b), a state agency shall prepare a summary of the
  agency's vulnerability report that does not contain any information
  the release of which might compromise the security of the state
  agency's or state agency contractor's computers, computer programs,
  computer networks, computer systems, printers, interfaces to
  computer systems, including mobile and peripheral devices,
  computer software, data processing, or electronically stored
  information.  [The summary is available to the public on request.]
         SECTION 10.  Section 2054.136, Government Code, is
  transferred to Subchapter E, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.401, Government
  Code, and amended to read as follows:
         Sec. 2063.401  [2054.136].  DESIGNATED INFORMATION SECURITY
  OFFICER.  Each state agency shall designate an information security
  officer who:
               (1)  reports to the agency's executive-level
  management;
               (2)  has authority over information security for the
  entire agency;
               (3)  possesses the training and experience required to
  ensure the agency complies with requirements and policies
  established by the command [perform the duties required by
  department rules]; and
               (4)  to the extent feasible, has information security
  duties as the officer's primary duties.
         SECTION 11.  Section 2054.518, Government Code, is
  transferred to Subchapter E, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.402, Government
  Code, and amended to read as follows:
         Sec. 2063.402  [2054.518].  CYBERSECURITY RISKS AND
  INCIDENTS.  (a)  The command [department] shall develop a plan to
  address cybersecurity risks and incidents in this state.  The
  command [department] may enter into an agreement with a national
  organization, including the National Cybersecurity Preparedness
  Consortium, to support the command's [department's] efforts in
  implementing the components of the plan for which the command
  [department] lacks resources to address internally.  The agreement
  may include provisions for:
               (1)  providing technical assistance services to
  support preparedness for and response to cybersecurity risks and
  incidents;
               (2)  conducting cybersecurity simulation exercises for
  state agencies to encourage coordination in defending against and
  responding to cybersecurity risks and incidents;
               (3)  assisting state agencies in developing
  cybersecurity information-sharing programs to disseminate
  information related to cybersecurity risks and incidents; and
               (4)  incorporating cybersecurity risk and incident
  prevention and response methods into existing state emergency
  plans, including continuity of operation plans and incident
  response plans.
         (b)  In implementing the provisions of the agreement
  prescribed by Subsection (a), the command [department] shall seek
  to prevent unnecessary duplication of existing programs or efforts
  of the command [department] or another state agency.
         (c) [(d)]  The command [department] shall consult with
  institutions of higher education in this state when appropriate
  based on an institution's expertise in addressing specific
  cybersecurity risks and incidents.
         SECTION 12.  Section 2054.133, Government Code, is
  transferred to Subchapter E, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.403, Government
  Code, and amended to read as follows:
         Sec. 2063.403  [2054.133].  INFORMATION SECURITY PLAN.  (a)  
  Each state agency shall develop, and periodically update, an
  information security plan for protecting the security of the
  agency's information.
         (b)  In developing the plan, the state agency shall:
               (1)  consider any vulnerability report prepared under
  Section 2063.302 [2054.077] for the agency;
               (2)  incorporate the network security services
  provided by the department to the agency under Chapter 2059;
               (3)  identify and define the responsibilities of agency
  staff who produce, access, use, or serve as custodians of the
  agency's information;
               (4)  identify risk management and other measures taken
  to protect the agency's information from unauthorized access,
  disclosure, modification, or destruction;
               (5)  include:
                     (A)  the best practices for information security
  developed by the command [department]; or
                     (B)  if best practices are not applied, a written
  explanation of why the best practices are not sufficient for the
  agency's security; and
               (6)  omit from any written copies of the plan
  information that could expose vulnerabilities in the agency's
  network or online systems.
         (c)  Not later than June 1 of each even-numbered year, each
  state agency shall submit a copy of the agency's information
  security plan to the command [department].  Subject to available
  resources, the command [department] may select a portion of the
  submitted security plans to be assessed by the command [department]
  in accordance with command policies [department rules].
         (d)  Each state agency's information security plan is
  confidential and exempt from disclosure under Chapter 552.
         (e)  Each state agency shall include in the agency's
  information security plan a written document that is signed by the
  head of the agency, the chief financial officer, and each executive
  manager designated by the state agency and states that those
  persons have been made aware of the risks revealed during the
  preparation of the agency's information security plan.
         (f)  Not later than November 15 of each even-numbered year,
  the command [department] shall submit a written report to the
  governor, the lieutenant governor, the speaker of the house of
  representatives, and each standing committee of the legislature
  with primary jurisdiction over matters related to the command
  [department] evaluating information security for this state's
  information resources.  In preparing the report, the command
  [department] shall consider the information security plans
  submitted by state agencies under this section, any vulnerability
  reports submitted under Section 2063.302 [2054.077], and other
  available information regarding the security of this state's
  information resources.  The command [department] shall omit from
  any written copies of the report information that could expose
  specific vulnerabilities [in the security of this state's
  information resources].
         SECTION 13.  Section 2054.516, Government Code, is
  transferred to Subchapter E, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.405, Government
  Code, and amended to read as follows:
         Sec. 2063.405  [2054.516].  DATA SECURITY PLAN FOR ONLINE
  AND MOBILE APPLICATIONS.  (a)  Each state agency implementing an
  Internet website or mobile application that processes any sensitive
  personal or personally identifiable information or confidential
  information must:
               (1)  submit a biennial data security plan to the
  command [department] not later than June 1 of each even-numbered
  year to establish planned beta testing for the website or
  application; and
               (2)  subject the website or application to a
  vulnerability and penetration test and address any vulnerability
  identified in the test.
         (b)  The command [department] shall review each data
  security plan submitted under Subsection (a) and make any
  recommendations for changes to the plan to the state agency as soon
  as practicable after the command [department] reviews the plan.
         SECTION 14.  Section 2054.512, Government Code, is
  transferred to Subchapter E, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.406, Government
  Code, and amended to read as follows:
         Sec. 2063.406  [2054.512].  CYBERSECURITY COUNCIL.  (a)  The
  chief or the chief's designee [state cybersecurity coordinator]
  shall [establish and] lead a cybersecurity council that includes
  public and private sector leaders and cybersecurity practitioners
  to collaborate on matters of cybersecurity concerning this state.
         (b)  The cybersecurity council must include:
               (1)  one member who is an employee of the office of the
  governor;
               (2)  one member of the senate appointed by the
  lieutenant governor;
               (3)  one member of the house of representatives
  appointed by the speaker of the house of representatives;
               (4)  one member who is an employee of the Elections
  Division of the Office of the Secretary of State; [and]
               (5)  one member who is an employee of the department;
  and
               (6)  additional members appointed by the chief [state
  cybersecurity coordinator], including representatives of
  institutions of higher education and private sector leaders.
         (c)  Members of the cybersecurity council serve staggered
  six-year terms, with as near as possible to one-third of the
  members' terms expiring February 1 of each odd-numbered year.
         (d)  In appointing representatives from institutions of
  higher education to the cybersecurity council, the chief [state
  cybersecurity coordinator] shall consider appointing members of
  the Information Technology Council for Higher Education.
         (e) [(d)]  The cybersecurity council shall:
               (1)  consider the costs and benefits of establishing a
  computer emergency readiness team to address cybersecurity
  incidents [cyber attacks] occurring in this state during routine
  and emergency situations;
               (2)  establish criteria and priorities for addressing
  cybersecurity threats to critical state installations;
               (3)  consolidate and synthesize best practices to
  assist state agencies in understanding and implementing
  cybersecurity measures that are most beneficial to this state; and
               (4)  assess the knowledge, skills, and capabilities of
  the existing information technology and cybersecurity workforce to
  mitigate and respond to cyber threats and develop recommendations
  for addressing immediate workforce deficiencies and ensuring a
  long-term pool of qualified applicants.
         (f) [(e)]  The chief, in collaboration with the
  cybersecurity council, shall provide recommendations to the
  legislature on any legislation necessary to implement
  cybersecurity best practices and remediation strategies for this
  state.
         SECTION 15.  Section 2054.514, Government Code, is
  transferred to Subchapter E, Chapter 2063, Government Code, as
  added by this Act, redesignated as Section 2063.407, Government
  Code, and amended to read as follows:
         Sec. 2063.407  [2054.514].  RECOMMENDATIONS.  The chief
  [state cybersecurity coordinator] may implement any portion, or all
  of the recommendations made by the cybersecurity council under
  Section 2063.406 [Cybersecurity, Education, and Economic
  Development Council under Subchapter N].
         SECTION 16.  Subchapter N-2, Chapter 2054, Government Code,
  is transferred to Chapter 2063, Government Code, as added by this
  Act, redesignated as Subchapter F, Chapter 2063, Government Code,
  and amended to read as follows:
  SUBCHAPTER F [N-2].  TEXAS VOLUNTEER INCIDENT RESPONSE TEAM
         Sec. 2063.501  [2054.52001].  DEFINITIONS.  In this
  subchapter:
               (1)  "Incident response team" means the Texas volunteer
  incident response team established under Section 2063.502
  [2054.52002].
               (2)  "Participating entity" means a state agency,
  including an institution of higher education, or a local government
  that receives assistance under this subchapter during a
  cybersecurity incident [event].
               (3)  "Volunteer" means an individual who provides rapid
  response assistance during a cybersecurity incident [event] under
  this subchapter.
         Sec. 2063.502 [2054.52002].  ESTABLISHMENT OF TEXAS
  VOLUNTEER INCIDENT RESPONSE TEAM.  (a)  The command [department]
  shall establish the Texas volunteer incident response team to
  provide rapid response assistance to a participating entity under
  the command's [department's] direction during a cybersecurity
  incident [event].
         (b)  The command [department] shall prescribe eligibility
  criteria for participation as a volunteer member of the incident
  response team, including a requirement that each volunteer have
  expertise in addressing cybersecurity incidents [events].
         Sec. 2063.503 [2054.52003].  CONTRACT WITH VOLUNTEERS.  The
  command [department] shall enter into a contract with each
  volunteer the command [department] approves to provide rapid
  response assistance under this subchapter.  The contract must
  require the volunteer to:
               (1)  acknowledge the confidentiality of information
  required by Section 2063.510 [2054.52010];
               (2)  protect all confidential information from
  disclosure;
               (3)  avoid conflicts of interest that might arise in a
  deployment under this subchapter;
               (4)  comply with command [department] security
  policies and procedures regarding information resources
  technologies;
               (5)  consent to background screening required by the
  command [department]; and
               (6)  attest to the volunteer's satisfaction of any
  eligibility criteria established by the command [department].
         Sec. 2063.504 [2054.52004].  VOLUNTEER QUALIFICATION.  (a)  
  The command [department] shall require criminal history record
  information for each individual who accepts an invitation to become
  a volunteer.
         (b)  The command [department] may request other information
  relevant to the individual's qualification and fitness to serve as
  a volunteer.
         (c)  The command [department] has sole discretion to
  determine whether an individual is qualified to serve as a
  volunteer.
         Sec. 2063.505  [2054.52005].  DEPLOYMENT.  (a)  In response
  to a cybersecurity incident [event] that affects multiple
  participating entities or a declaration by the governor of a state
  of disaster caused by a cybersecurity event, the command
  [department] on request of a participating entity may deploy
  volunteers and provide rapid response assistance under the
  command's [department's] direction and the managed security
  services framework established under Section 2063.204(c)
  [2054.0594(d)] to assist with the incident [event].
         (b)  A volunteer may only accept a deployment under this
  subchapter in writing.  A volunteer may decline to accept a
  deployment for any reason.
         Sec. 2063.506 [2054.52006].  CYBERSECURITY COUNCIL
  DUTIES.  The cybersecurity council established under Section
  2063.406 [2054.512] shall review and make recommendations to the
  command [department] regarding the policies and procedures used by
  the command [department] to implement this subchapter.  The command
  [department] may consult with the council to implement and
  administer this subchapter.
         Sec. 2063.507 [2054.52007].  COMMAND [DEPARTMENT] POWERS
  AND DUTIES.  (a)  The command [department] shall:
               (1)  approve the incident response tools the incident
  response team may use in responding to a cybersecurity incident
  [event];
               (2)  establish the eligibility criteria an individual
  must meet to become a volunteer;
               (3)  develop and publish guidelines for operation of
  the incident response team, including the:
                     (A)  standards and procedures the command
  [department] uses to determine whether an individual is eligible to
  serve as a volunteer;
                     (B)  process for an individual to apply for and
  accept incident response team membership;
                     (C)  requirements for a participating entity to
  receive assistance from the incident response team; and
                     (D)  process for a participating entity to request
  and obtain the assistance of the incident response team; and
               (4)  adopt policies [rules] necessary to implement this
  subchapter.
         (b)  The command [department] may require a participating
  entity to enter into a contract as a condition for obtaining
  assistance from the incident response team.  [The contract must
  comply with the requirements of Chapters 771 and 791.]
         (c)  The command [department] may provide appropriate
  training to prospective and approved volunteers.
         (d)  In accordance with state law, the command [department]
  may provide compensation for actual and necessary travel and living
  expenses incurred by a volunteer on a deployment using money
  available for that purpose.
         (e)  The command [department] may establish a fee schedule
  for participating entities receiving incident response team
  assistance.  The amount of fees collected may not exceed the
  command's [department's] costs to operate the incident response
  team.
         Sec. 2063.508 [2054.52008].  STATUS OF VOLUNTEER;
  LIABILITY.  (a)  A volunteer is not an agent, employee, or
  independent contractor of this state for any purpose and has no
  authority to obligate this state to a third party.
         (b)  This state is not liable to a volunteer for personal
  injury or property damage sustained by the volunteer that arises
  from participation in the incident response team.
         Sec. 2063.509 [2054.52009].  CIVIL LIABILITY.  A volunteer
  who in good faith provides professional services in response to a
  cybersecurity incident [event] is not liable for civil damages as a
  result of the volunteer's acts or omissions in providing the
  services, except for wilful and wanton misconduct.  This immunity
  is limited to services provided during the time of deployment for a
  cybersecurity incident [event].
         Sec. 2063.510 [2054.52010].  CONFIDENTIAL INFORMATION.  
  Information written, produced, collected, assembled, or maintained
  by the command [department], a participating entity, the
  cybersecurity council, or a volunteer in the implementation of this
  subchapter is confidential and not subject to disclosure under
  Chapter 552 if the information:
               (1)  contains the contact information for a volunteer;
               (2)  identifies or provides a means of identifying a
  person who may, as a result of disclosure of the information, become
  a victim of a cybersecurity incident [event];
               (3)  consists of a participating entity's cybersecurity
  plans or cybersecurity-related practices; or
               (4)  is obtained from a participating entity or from a
  participating entity's computer system in the course of providing
  assistance under this subchapter.
         SECTION 17.  Subchapter E, Chapter 2059, Government Code, is
  transferred to Chapter 2063, Government Code, as added by this Act,
  redesignated as Subchapter G, Chapter 2063, Government Code, and
  amended to read as follows:
  SUBCHAPTER G [E].  REGIONAL [NETWORK] SECURITY OPERATIONS CENTERS
         Sec. 2063.601 [2059.201].  ELIGIBLE PARTICIPATING ENTITIES.  
  A state agency or an entity listed in Section 2059.058 is eligible
  to participate in cybersecurity support and network security
  provided by a regional [network] security operations center under
  this subchapter.
         Sec. 2063.602 [2059.202].  ESTABLISHMENT OF REGIONAL
  [NETWORK] SECURITY OPERATIONS CENTERS.  (a)  Subject to Subsection
  (b), the command [department] may establish regional [network]
  security operations centers, under the command's [department's]
  managed security services framework established by Section
  2063.204(c) [2054.0594(d)], to assist in providing cybersecurity
  support and network security to regional offices or locations for
  state agencies and other eligible entities that elect to
  participate in and receive services through the center.
         (b)  The command [department] may establish more than one
  regional [network] security operations center only if the command
  [department] determines the first center established by the command
  [department] successfully provides to state agencies and other
  eligible entities the services the center has contracted to
  provide.
         (c)  The command [department] shall enter into an
  interagency contract in accordance with Chapter 771 or an
  interlocal contract in accordance with Chapter 791, as appropriate,
  with an eligible participating entity that elects to participate in
  and receive services through a regional [network] security
  operations center.
         Sec. 2063.603 [2059.203].  REGIONAL [NETWORK] SECURITY
  OPERATIONS CENTER LOCATIONS AND PHYSICAL SECURITY.  (a)  In
  creating and operating a regional [network] security operations
  center, the command may [department shall] partner with another [a]
  university system or institution of higher education as defined by
  Section 61.003, Education Code, other than a public junior college.  
  The system or institution shall:
               (1)  serve as an education partner with the command
  [department] for the regional [network] security operations
  center; and
               (2)  enter into an interagency contract with the
  command [department] in accordance with Chapter 771.
         (b)  In selecting the location for a regional [network]
  security operations center, the command [department] shall select a
  university system or institution of higher education that has
  supportive educational capabilities.
         (c)  A university system or institution of higher education
  selected to serve as a regional [network] security operations
  center shall control and monitor all entrances to and critical
  areas of the center to prevent unauthorized entry.  The system or
  institution shall restrict access to the center to only authorized
  individuals.
         (d)  A local law enforcement entity or any entity providing
  security for a regional [network] security operations center shall
  monitor security alarms at the regional [network] security
  operations center subject to the availability of that service.
         (e)  The command [department] and a university system or
  institution of higher education selected to serve as a regional
  [network] security operations center shall restrict operational
  information to only center personnel, except as provided by Chapter
  321.
         Sec. 2063.604 [2059.204].  REGIONAL [NETWORK] SECURITY
  OPERATIONS CENTERS SERVICES AND SUPPORT.  The command [department]
  may offer the following managed security services through a
  regional [network] security operations center:
               (1)  real-time network security monitoring to detect
  and respond to network security events that may jeopardize this
  state and the residents of this state;
               (2)  alerts and guidance for defeating network security
  threats, including firewall configuration, installation,
  management, and monitoring, intelligence gathering, and protocol
  analysis;
               (3)  immediate response to counter network security
  activity that exposes this state and the residents of this state to
  risk, including complete intrusion detection system installation,
  management, and monitoring for participating entities;
               (4)  development, coordination, and execution of
  statewide cybersecurity operations to isolate, contain, and
  mitigate the impact of network security incidents for participating
  entities; and
               (5)  cybersecurity educational services.
         Sec. 2063.605 [2059.205].  NETWORK SECURITY GUIDELINES AND
  STANDARD OPERATING PROCEDURES.  (a)  The command [department] shall
  adopt and provide to each regional [network] security operations
  center appropriate network security guidelines and standard
  operating procedures to ensure efficient operation of the center
  with a maximum return on the state's investment.
         (b)  The command [department] shall revise the standard
  operating procedures as necessary to confirm network security.
         (c)  Each eligible participating entity that elects to
  participate in a regional [network] security operations center
  shall comply with the network security guidelines and standard
  operating procedures.
         SECTION 18.  Section 325.011, Government Code, is amended to
  read as follows:
         Sec. 325.011.  CRITERIA FOR REVIEW.  The commission and its
  staff shall consider the following criteria in determining whether
  a public need exists for the continuation of a state agency or its
  advisory committees or for the performance of the functions of the
  agency or its advisory committees:
               (1)  the efficiency and effectiveness with which the
  agency or the advisory committee operates;
               (2)(A)  an identification of the mission, goals, and
  objectives intended for the agency or advisory committee and of the
  problem or need that the agency or advisory committee was intended
  to address; and
                     (B)  the extent to which the mission, goals, and
  objectives have been achieved and the problem or need has been
  addressed;
               (3)(A)  an identification of any activities of the
  agency in addition to those granted by statute and of the authority
  for those activities; and
                     (B)  the extent to which those activities are
  needed;
               (4)  an assessment of authority of the agency relating
  to fees, inspections, enforcement, and penalties;
               (5)  whether less restrictive or alternative methods of
  performing any function that the agency performs could adequately
  protect or provide service to the public;
               (6)  the extent to which the jurisdiction of the agency
  and the programs administered by the agency overlap or duplicate
  those of other agencies, the extent to which the agency coordinates
  with those agencies, and the extent to which the programs
  administered by the agency can be consolidated with the programs of
  other state agencies;
               (7)  the promptness and effectiveness with which the
  agency addresses complaints concerning entities or other persons
  affected by the agency, including an assessment of the agency's
  administrative hearings process;
               (8)  an assessment of the agency's rulemaking process
  and the extent to which the agency has encouraged participation by
  the public in making its rules and decisions and the extent to which
  the public participation has resulted in rules that benefit the
  public;
               (9)  the extent to which the agency has complied with:
                     (A)  federal and state laws and applicable rules
  regarding equality of employment opportunity and the rights and
  privacy of individuals; and
                     (B)  state law and applicable rules of any state
  agency regarding purchasing guidelines and programs for
  historically underutilized businesses;
               (10)  the extent to which the agency issues and
  enforces rules relating to potential conflicts of interest of its
  employees;
               (11)  the extent to which the agency complies with
  Chapters 551 and 552 and follows records management practices that
  enable the agency to respond efficiently to requests for public
  information;
               (12)  the effect of federal intervention or loss of
  federal funds if the agency is abolished;
               (13)  the extent to which the purpose and effectiveness
  of reporting requirements imposed on the agency justifies the
  continuation of the requirement; and
               (14)  an assessment of the agency's cybersecurity
  practices using confidential information available from the
  Department of Information Resources, the Texas Cyber Command, or
  any other appropriate state agency.
         SECTION 19.  Section 11.175(h-1), Education Code, is amended
  to read as follows:
         (h-1)  Notwithstanding Section 2063.103 [2054.5191],
  Government Code, only the district's cybersecurity coordinator is
  required to complete the cybersecurity training under that section
  on an annual basis.  Any other school district employee required to
  complete the cybersecurity training shall complete the training as
  determined by the district, in consultation with the district's
  cybersecurity coordinator.
         SECTION 20.  Section 38.307(e), Education Code, is amended
  to read as follows:
         (e)  The agency shall maintain the data collected by the task
  force and the work product of the task force in accordance with:
               (1)  the agency's information security plan under
  Section 2063.403 [2054.133], Government Code; and
               (2)  the agency's records retention schedule under
  Section 441.185, Government Code.
         SECTION 21.  Section 61.003(6), Education Code, is amended
  to read as follows:
               (6)  "Other agency of higher education" means The
  University of Texas System, System Administration; The University
  of Texas at El Paso Museum; Texas Epidemic Public Health Institute
  at The University of Texas Health Science Center at Houston; the
  Texas Cyber Command; The Texas A&M University System,
  Administrative and General Offices; Texas A&M AgriLife Research;
  Texas A&M AgriLife Extension Service; Rodent and Predatory Animal
  Control Service (a part of the Texas A&M AgriLife Extension
  Service); Texas A&M Engineering Experiment Station (including the
  Texas A&M Transportation Institute); Texas A&M Engineering
  Extension Service; Texas A&M Forest Service; Texas Division of
  Emergency Management; Texas Tech University Museum; Texas State
  University System, System Administration; Sam Houston Memorial
  Museum; Panhandle-Plains Historical Museum; Cotton Research
  Committee of Texas; Texas Water Resources Institute; Texas A&M
  Veterinary Medical Diagnostic Laboratory; and any other unit,
  division, institution, or agency which shall be so designated by
  statute or which may be established to operate as a component part
  of any public senior college or university, or which may be so
  classified as provided in this chapter.
         SECTION 22.  Section 65.02(a), Education Code, is amended to
  read as follows:
         (a)  The University of Texas System is composed of the
  following institutions and entities:
               (1)  The University of Texas at Arlington;
               (2)  The University of Texas at Austin;
               (3)  The University of Texas at Dallas;
               (4)  The University of Texas at El Paso;
               (5)  The University of Texas Permian Basin;
               (6)  The University of Texas at San Antonio;
               (7)  The University of Texas Southwestern Medical
  Center;
               (8)  The University of Texas Medical Branch at
  Galveston;
               (9)  The University of Texas Health Science Center at
  Houston;
               (10)  The University of Texas Health Science Center at
  San Antonio;
               (11)  The University of Texas M. D. Anderson Cancer
  Center;
               (12)  Stephen F. Austin State University, a member of
  The University of Texas System;
               (13)  The University of Texas at Tyler; [and]
               (14)  The University of Texas Rio Grande Valley; and
               (15)  the Texas Cyber Command (Chapter 2063, Government
  Code).
         SECTION 23.  Sections 772.012(b) and (c), Government Code,
  are amended to read as follows:
         (b)  To apply for a grant under this chapter, a local
  government must submit with the grant application a written
  certification of the local government's compliance with the
  cybersecurity training required by Section 2063.103 [2054.5191].
         (c)  On a determination by the criminal justice division
  established under Section 772.006 that a local government awarded a
  grant under this chapter has not complied with the cybersecurity
  training required by Section 2063.103 [2054.5191], the local
  government shall pay to this state an amount equal to the amount of
  the grant award.  A local government that is the subject of a
  determination described by this subsection is ineligible for
  another grant under this chapter until the second anniversary of
  the date the local government is determined ineligible.
         SECTION 24.  Section 2054.0701(c), Government Code, is
  amended to read as follows:
         (c)  A program offered under this section must:
               (1)  be approved by the Texas Higher Education
  Coordinating Board in accordance with Section 61.0512, Education
  Code;
               (2)  develop the knowledge and skills necessary for an
  entry-level information technology position in a state agency; and
               (3)  include a one-year apprenticeship with:
                     (A)  the department;
                     (B)  another relevant state agency;
                     (C)  an organization working on a major
  information resources project; or
                     (D)  a regional network security center
  established under Section 2063.602 [2059.202].
         SECTION 25.  Section 2056.002(b), Government Code, is
  amended to read as follows:
         (b)  The Legislative Budget Board and the governor's office
  shall determine the elements required to be included in each
  agency's strategic plan.  Unless modified by the Legislative Budget
  Board and the governor's office, and except as provided by
  Subsection (c), a plan must include:
               (1)  a statement of the mission and goals of the state
  agency;
               (2)  a description of the indicators developed under
  this chapter and used to measure the output and outcome of the
  agency;
               (3)  identification of the groups of people served by
  the agency, including those having service priorities, or other
  service measures established by law, and estimates of changes in
  those groups expected during the term of the plan;
               (4)  an analysis of the use of the agency's resources to
  meet the agency's needs, including future needs, and an estimate of
  additional resources that may be necessary to meet future needs;
               (5)  an analysis of expected changes in the services
  provided by the agency because of changes in state or federal law;
               (6)  a description of the means and strategies for
  meeting the agency's needs, including future needs, and achieving
  the goals established under Section 2056.006 for each area of state
  government for which the agency provides services;
               (7)  a description of the capital improvement needs of
  the agency during the term of the plan and a statement, if
  appropriate, of the priority of those needs;
               (8)  identification of each geographic region of this
  state, including the Texas-Louisiana border region and the
  Texas-Mexico border region, served by the agency, and if
  appropriate the agency's means and strategies for serving each
  region;
               (9)  a description of the training of the agency's
  contract managers under Section 656.052;
               (10)  an analysis of the agency's expected expenditures
  that relate to federally owned or operated military installations
  or facilities, or communities where a federally owned or operated
  military installation or facility is located;
               (11)  an analysis of the strategic use of information
  resources as provided by the instructions prepared under Section
  2054.095;
               (12)  a written certification of the agency's
  compliance with the cybersecurity training required under Sections
  2063.103 [2054.5191] and 2063.104 [2054.5192]; and
               (13)  other information that may be required.
         SECTION 26.  (a)  In this section, "department" means the
  Department of Information Resources.
         (b)  On the effective date of this Act:
               (1)  the Texas Cyber Command, organized as provided by
  Section 2063.002, Government Code, as added by this Act, is created
  with the powers and duties assigned by Chapter 2063, Government
  Code, as added by this Act; and
               (2)  the chief information security officer of the
  department becomes the chief of the Texas Cyber Command, as
  described by Section 2063.0025, Government Code, as added by this
  Act.
         (c)  Notwithstanding Subsection (b) of this section, the
  department shall continue to perform duties and exercise powers
  under Chapter 2054, Government Code, as that law existed
  immediately before the effective date of this Act, until the date
  provided by the memorandum of understanding entered into under
  Subsection (e) of this section.
         (d)  Not later than December 31, 2026:
               (1)  all functions and activities performed by the
  department that relate to cybersecurity under Chapter 2063,
  Government Code, as added by this Act, are transferred to the Texas
  Cyber Command;
               (2)  all employees of the department who primarily
  perform duties related to cybersecurity, including employees who
  provide administrative support for those services, under Chapter
  2063, Government Code, as added by this Act, become employees of the
  Texas Cyber Command, but continue to work in the same physical
  location unless moved in accordance with the memorandum of
  understanding entered into under Subsection (e) of this section;
               (3)  a rule or form adopted by the department that
  relates to cybersecurity under Chapter 2063, Government Code, as
  added by this Act, is a rule or form of the Texas Cyber Command and
  remains in effect until changed by the command;
               (4)  a reference in law to the department that relates
  to cybersecurity under Chapter 2063, Government Code, as added by
  this Act, means the Texas Cyber Command;
               (5)  a contract negotiation or other proceeding
  involving the department that is related to cybersecurity under
  Chapter 2063, Government Code, as added by this Act, is transferred
  without change in status to the Texas Cyber Command, and the Texas
  Cyber Command assumes, without a change in status, the position of
  the department in a negotiation or proceeding relating to
  cybersecurity to which the department is a party;
               (6)  all money, contracts, leases, rights, and
  obligations of the department related to cybersecurity under
  Chapter 2063, Government Code, as added by this Act, are
  transferred to the Texas Cyber Command;
               (7)  all property, including records, in the custody of
  the department related to cybersecurity under Chapter 2063,
  Government Code, as added by this Act, becomes property of the Texas
  Cyber Command, but stays in the same physical location unless moved
  in accordance with the specific steps and methods created under
  Subsection (e) of this section; and
               (8)  all funds appropriated by the legislature to the
  department for purposes related to cybersecurity, including funds
  for providing administrative support, under Chapter 2063,
  Government Code, as added by this Act, are transferred to the Texas
  Cyber Command.
         (e)  Not later than January 1, 2026, the department and the
  board of regents of The University of Texas System shall enter into
  a memorandum of understanding relating to the transfer of powers
  and duties from the department to the Texas Cyber Command as
  provided by this Act. The memorandum must include:
               (1)  a timetable and specific steps and methods for the
  transfer of all powers, duties, obligations, rights, contracts,
  leases, records, real or personal property, and unspent and
  unobligated appropriations and other funds relating to the
  administration of the powers and duties as provided by this Act;
               (2)  measures to ensure against any unnecessary
  disruption to cybersecurity operations during the transfer
  process; and
               (3)  a provision that the terms of any memorandum of
  understanding entered into related to the transfer remain in effect
  until the transfer is completed.
         SECTION 27.  This Act takes effect September 1, 2025.