Bill Text: TX HB8 | 2017-2018 | 85th Legislature | Enrolled
Bill Title: Relating to cybersecurity for state agency information resources.
Spectrum: Moderate Partisan Bill (Republican 13-3)
Status: (Passed) 2017-06-12 - Effective on 9/1/17 [HB8 Detail]
Download: Texas-2017-HB8-Enrolled.html
H.B. No. 8 |
|
||
relating to cybersecurity for state agency information resources. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. This Act may be cited as the Texas Cybersecurity | ||
Act. | ||
SECTION 2. Section 325.011, Government Code, is amended to | ||
read as follows: | ||
Sec. 325.011. CRITERIA FOR REVIEW. The commission and its | ||
staff shall consider the following criteria in determining whether | ||
a public need exists for the continuation of a state agency or its | ||
advisory committees or for the performance of the functions of the | ||
agency or its advisory committees: | ||
(1) the efficiency and effectiveness with which the | ||
agency or the advisory committee operates; | ||
(2)(A) an identification of the mission, goals, and | ||
objectives intended for the agency or advisory committee and of the | ||
problem or need that the agency or advisory committee was intended | ||
to address; and | ||
(B) the extent to which the mission, goals, and | ||
objectives have been achieved and the problem or need has been | ||
addressed; | ||
(3)(A) an identification of any activities of the | ||
agency in addition to those granted by statute and of the authority | ||
for those activities; and | ||
(B) the extent to which those activities are | ||
needed; | ||
(4) an assessment of authority of the agency relating | ||
to fees, inspections, enforcement, and penalties; | ||
(5) whether less restrictive or alternative methods of | ||
performing any function that the agency performs could adequately | ||
protect or provide service to the public; | ||
(6) the extent to which the jurisdiction of the agency | ||
and the programs administered by the agency overlap or duplicate | ||
those of other agencies, the extent to which the agency coordinates | ||
with those agencies, and the extent to which the programs | ||
administered by the agency can be consolidated with the programs of | ||
other state agencies; | ||
(7) the promptness and effectiveness with which the | ||
agency addresses complaints concerning entities or other persons | ||
affected by the agency, including an assessment of the agency's | ||
administrative hearings process; | ||
(8) an assessment of the agency's rulemaking process | ||
and the extent to which the agency has encouraged participation by | ||
the public in making its rules and decisions and the extent to which | ||
the public participation has resulted in rules that benefit the | ||
public; | ||
(9) the extent to which the agency has complied with: | ||
(A) federal and state laws and applicable rules | ||
regarding equality of employment opportunity and the rights and | ||
privacy of individuals; and | ||
(B) state law and applicable rules of any state | ||
agency regarding purchasing guidelines and programs for | ||
historically underutilized businesses; | ||
(10) the extent to which the agency issues and | ||
enforces rules relating to potential conflicts of interest of its | ||
employees; | ||
(11) the extent to which the agency complies with | ||
Chapters 551 and 552 and follows records management practices that | ||
enable the agency to respond efficiently to requests for public | ||
information; | ||
(12) the effect of federal intervention or loss of | ||
federal funds if the agency is abolished; [ |
||
(13) the extent to which the purpose and effectiveness | ||
of reporting requirements imposed on the agency justifies the | ||
continuation of the requirement; and | ||
(14) an assessment of the agency's cybersecurity | ||
practices using confidential information available from the | ||
Department of Information Resources or any other appropriate state | ||
agency. | ||
SECTION 3. Section 551.089, Government Code, is amended to | ||
read as follows: | ||
Sec. 551.089. DELIBERATION REGARDING SECURITY DEVICES OR | ||
SECURITY AUDITS; CLOSED MEETING [ |
||
|
||
|
||
conduct an open meeting to deliberate: | ||
(1) security assessments or deployments relating to | ||
information resources technology; | ||
(2) network security information as described by | ||
Section 2059.055(b); or | ||
(3) the deployment, or specific occasions for | ||
implementation, of security personnel, critical infrastructure, or | ||
security devices. | ||
SECTION 4. Section 552.139, Government Code, is amended by | ||
adding Subsection (d) to read as follows: | ||
(d) When posting a contract on an Internet website as | ||
required by Section 2261.253, a state agency shall redact | ||
information made confidential by this section or excepted from | ||
public disclosure by this section. Redaction under this subsection | ||
does not except information from the requirements of Section | ||
552.021. | ||
SECTION 5. Subchapter C, Chapter 2054, Government Code, is | ||
amended by adding Section 2054.0594 to read as follows: | ||
Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS CENTER. | ||
(a) The department shall establish an information sharing and | ||
analysis center to provide a forum for state agencies to share | ||
information regarding cybersecurity threats, best practices, and | ||
remediation strategies. | ||
(b) The department shall appoint persons from appropriate | ||
state agencies to serve as representatives to the information | ||
sharing and analysis center. | ||
(c) The department, using funds other than funds | ||
appropriated to the department in a general appropriations act, | ||
shall provide administrative support to the information sharing and | ||
analysis center. | ||
SECTION 6. Section 2054.076, Government Code, is amended by | ||
adding Subsection (b-1) to read as follows: | ||
(b-1) The department shall provide mandatory guidelines to | ||
state agencies regarding the continuing education requirements for | ||
cybersecurity training that must be completed by all information | ||
resources employees of the agencies. The department shall consult | ||
with the Information Technology Council for Higher Education on | ||
applying the guidelines to institutions of higher education. | ||
SECTION 7. Sections 2054.077(b) and (e), Government Code, | ||
are amended to read as follows: | ||
(b) The information resources manager of a state agency | ||
shall [ |
||
executive summary of the findings of the biennial report, not later | ||
than October 15 of each even-numbered year, assessing the extent to | ||
which a computer, a computer program, a computer network, a | ||
computer system, a printer, an interface to a computer system, | ||
including mobile and peripheral devices, computer software, or data | ||
processing of the agency or of a contractor of the agency is | ||
vulnerable to unauthorized access or harm, including the extent to | ||
which the agency's or contractor's electronically stored | ||
information is vulnerable to alteration, damage, erasure, or | ||
inappropriate use. | ||
(e) Separate from the executive summary described by | ||
Subsection (b), a state agency [ |
||
|
||
prepare a summary of the agency's vulnerability report that does | ||
not contain any information the release of which might compromise | ||
the security of the state agency's or state agency contractor's | ||
computers, computer programs, computer networks, computer systems, | ||
printers, interfaces to computer systems, including mobile and | ||
peripheral devices, computer software, data processing, or | ||
electronically stored information. The summary is available to | ||
the public on request. | ||
SECTION 8. Section 2054.1125(b), Government Code, is | ||
amended to read as follows: | ||
(b) A state agency that owns, licenses, or maintains | ||
computerized data that includes sensitive personal information, | ||
confidential information, or information the disclosure of which is | ||
regulated by law shall, in the event of a breach or suspected breach | ||
of system security or an unauthorized exposure of that information: | ||
(1) comply[ |
||
|
||
Business & Commerce Code, to the same extent as a person who | ||
conducts business in this state; and | ||
(2) not later than 48 hours after the discovery of the | ||
breach, suspected breach, or unauthorized exposure, notify: | ||
(A) the department, including the chief | ||
information security officer and the state cybersecurity | ||
coordinator; or | ||
(B) if the breach, suspected breach, or | ||
unauthorized exposure involves election data, the secretary of | ||
state. | ||
SECTION 9. Section 2054.512, Government Code, is amended to | ||
read as follows: | ||
Sec. 2054.512. CYBERSECURITY [ |
||
COUNCIL. (a) The state cybersecurity coordinator shall [ |
||
establish and lead a cybersecurity council that includes public and | ||
private sector leaders and cybersecurity practitioners to | ||
collaborate on matters of cybersecurity concerning this state. | ||
(b) The cybersecurity council must include: | ||
(1) one member who is an employee of the office of the | ||
governor; | ||
(2) one member of the senate appointed by the | ||
lieutenant governor; | ||
(3) one member of the house of representatives | ||
appointed by the speaker of the house of representatives; and | ||
(4) additional members appointed by the state | ||
cybersecurity coordinator, including representatives of | ||
institutions of higher education and private sector leaders. | ||
(c) In appointing representatives from institutions of | ||
higher education to the cybersecurity council, the state | ||
cybersecurity coordinator shall consider appointing members of the | ||
Information Technology Council for Higher Education. | ||
(d) The cybersecurity council shall: | ||
(1) consider the costs and benefits of establishing a | ||
computer emergency readiness team to address cyber attacks | ||
occurring in this state during routine and emergency situations; | ||
(2) establish criteria and priorities for addressing | ||
cybersecurity threats to critical state installations; | ||
(3) consolidate and synthesize best practices to | ||
assist state agencies in understanding and implementing | ||
cybersecurity measures that are most beneficial to this state; and | ||
(4) assess the knowledge, skills, and capabilities of | ||
the existing information technology and cybersecurity workforce to | ||
mitigate and respond to cyber threats and develop recommendations | ||
for addressing immediate workforce deficiencies and ensuring a | ||
long-term pool of qualified applicants. | ||
(e) The cybersecurity council shall provide recommendations | ||
to the legislature on any legislation necessary to implement | ||
cybersecurity best practices and remediation strategies for this | ||
state. | ||
SECTION 10. Section 2054.133, Government Code, is amended | ||
by adding Subsection (e) to read as follows: | ||
(e) Each state agency shall include in the agency's | ||
information security plan a written acknowledgment that the | ||
executive director or other head of the agency, the chief financial | ||
officer, and each executive manager as designated by the state | ||
agency have been made aware of the risks revealed during the | ||
preparation of the agency's information security plan. | ||
SECTION 11. Subchapter N-1, Chapter 2054, Government Code, | ||
is amended by adding Sections 2054.515, 2054.516, 2054.517, and | ||
2054.518 to read as follows: | ||
Sec. 2054.515. AGENCY INFORMATION SECURITY ASSESSMENT AND | ||
REPORT. (a) At least once every two years, each state agency shall | ||
conduct an information security assessment of the agency's | ||
information resources systems, network systems, digital data | ||
storage systems, digital data security measures, and information | ||
resources vulnerabilities. | ||
(b) Not later than December 1 of the year in which a state | ||
agency conducts the assessment under Subsection (a), the agency | ||
shall report the results of the assessment to the department, the | ||
governor, the lieutenant governor, and the speaker of the house of | ||
representatives. | ||
(c) The department by rule may establish the requirements | ||
for the information security assessment and report required by this | ||
section. | ||
Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE | ||
APPLICATIONS. Each state agency, other than an institution of | ||
higher education subject to Section 2054.517, implementing an | ||
Internet website or mobile application that processes any sensitive | ||
personal information or confidential information must: | ||
(1) submit a biennial data security plan to the | ||
department not later than October 15 of each even-numbered year to | ||
establish planned beta testing for the website or application; and | ||
(2) subject the website or application to a | ||
vulnerability and penetration test and address any vulnerability | ||
identified in the test. | ||
Sec. 2054.517. DATA SECURITY PROCEDURES FOR ONLINE AND | ||
MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a) Each | ||
institution of higher education, as defined by Section 61.003, | ||
Education Code, shall adopt and implement a policy for Internet | ||
website and mobile application security procedures that complies | ||
with this section. | ||
(b) Before deploying an Internet website or mobile | ||
application that processes confidential information for an | ||
institution of higher education, the developer of the website or | ||
application for the institution must submit to the institution's | ||
information security officer the information required under | ||
policies adopted by the institution to protect the privacy of | ||
individuals by preserving the confidentiality of information | ||
processed by the website or application. At a minimum, the | ||
institution's policies must require the developer to submit | ||
information describing: | ||
(1) the architecture of the website or application; | ||
(2) the authentication mechanism for the website or | ||
application; and | ||
(3) the administrator level access to data included in | ||
the website or application. | ||
(c) Before deploying an Internet website or mobile | ||
application described by Subsection (b), an institution of higher | ||
education must subject the website or application to a | ||
vulnerability and penetration test conducted internally or by an | ||
independent third party. | ||
(d) Each institution of higher education shall submit to the | ||
department the policies adopted as required by Subsection (b). The | ||
department shall review the policies and make recommendations for | ||
appropriate changes. | ||
Sec. 2054.518. CYBERSECURITY RISKS AND INCIDENTS. (a) The | ||
department shall develop a plan to address cybersecurity risks and | ||
incidents in this state. The department may enter into an agreement | ||
with a national organization, including the National Cybersecurity | ||
Preparedness Consortium, to support the department's efforts in | ||
implementing the components of the plan for which the department | ||
lacks resources to address internally. The agreement may include | ||
provisions for: | ||
(1) providing fee reimbursement for appropriate | ||
industry-recognized certification examinations for and training to | ||
state agencies preparing for and responding to cybersecurity risks | ||
and incidents; | ||
(2) developing and maintaining a cybersecurity risks | ||
and incidents curriculum using existing programs and models for | ||
training state agencies; | ||
(3) delivering to state agency personnel with access | ||
to state agency networks routine training related to appropriately | ||
protecting and maintaining information technology systems and | ||
devices, implementing cybersecurity best practices, and mitigating | ||
cybersecurity risks and vulnerabilities; | ||
(4) providing technical assistance services to | ||
support preparedness for and response to cybersecurity risks and | ||
incidents; | ||
(5) conducting cybersecurity training and simulation | ||
exercises for state agencies to encourage coordination in defending | ||
against and responding to cybersecurity risks and incidents; | ||
(6) assisting state agencies in developing | ||
cybersecurity information-sharing programs to disseminate | ||
information related to cybersecurity risks and incidents; and | ||
(7) incorporating cybersecurity risk and incident | ||
prevention and response methods into existing state emergency | ||
plans, including continuity of operation plans and incident | ||
response plans. | ||
(b) In implementing the provisions of the agreement | ||
prescribed by Subsection (a), the department shall seek to prevent | ||
unnecessary duplication of existing programs or efforts of the | ||
department or another state agency. | ||
(c) In selecting an organization under Subsection (a), the | ||
department shall consider the organization's previous experience | ||
in conducting cybersecurity training and exercises for state | ||
agencies and political subdivisions. | ||
(d) The department shall consult with institutions of | ||
higher education in this state when appropriate based on an | ||
institution's expertise in addressing specific cybersecurity risks | ||
and incidents. | ||
SECTION 12. Section 2054.575(a), Government Code, is | ||
amended to read as follows: | ||
(a) A state agency shall, with available funds, identify | ||
information security issues and develop a plan to prioritize the | ||
remediation and mitigation of those issues. The agency shall | ||
include in the plan: | ||
(1) procedures for reducing the agency's level of | ||
exposure with regard to information that alone or in conjunction | ||
with other information identifies an individual maintained on a | ||
legacy system of the agency; | ||
(2) the best value approach for modernizing, | ||
replacing, renewing, or disposing of a legacy system that maintains | ||
information critical to the agency's responsibilities; | ||
(3) analysis of the percentage of state agency | ||
personnel in information technology, cybersecurity, or other | ||
cyber-related positions who currently hold the appropriate | ||
industry-recognized certifications as identified by the National | ||
Initiative for Cybersecurity Education; | ||
(4) the level of preparedness of state agency cyber | ||
personnel and potential personnel who do not hold the appropriate | ||
industry-recognized certifications to successfully complete the | ||
industry-recognized certification examinations; and | ||
(5) a strategy for mitigating any workforce-related | ||
discrepancy in information technology, cybersecurity, or other | ||
cyber-related positions with the appropriate training and | ||
industry-recognized certifications. | ||
SECTION 13. Section 2059.055(b), Government Code, is | ||
amended to read as follows: | ||
(b) Network security information is confidential under this | ||
section if the information is: | ||
(1) related to passwords, personal identification | ||
numbers, access codes, encryption, or other components of the | ||
security system of a governmental entity [ |
||
(2) collected, assembled, or maintained by or for a | ||
governmental entity to prevent, detect, or investigate criminal | ||
activity; or | ||
(3) related to an assessment, made by or for a | ||
governmental entity or maintained by a governmental entity, of the | ||
vulnerability of a network to criminal activity. | ||
SECTION 14. Chapter 276, Election Code, is amended by | ||
adding Section 276.011 to read as follows: | ||
Sec. 276.011. ELECTION CYBER ATTACK STUDY. (a) Not later | ||
than December 1, 2018, the secretary of state shall: | ||
(1) conduct a study regarding cyber attacks on | ||
election infrastructure; | ||
(2) prepare a public summary report on the study's | ||
findings that does not contain any information the release of which | ||
may compromise any election; | ||
(3) prepare a confidential report on specific findings | ||
and vulnerabilities that is exempt from disclosure under Chapter | ||
552, Government Code; and | ||
(4) submit to the standing committees of the | ||
legislature with jurisdiction over election procedures a copy of | ||
the report required under Subdivision (2) and a general compilation | ||
of the report required under Subdivision (3) that does not contain | ||
any information the release of which may compromise any election. | ||
(b) The study must include: | ||
(1) an investigation of vulnerabilities and risks for | ||
a cyber attack against a county's voting system machines or the list | ||
of registered voters; | ||
(2) information on any attempted cyber attack on a | ||
county's voting system machines or the list of registered voters; | ||
and | ||
(3) recommendations for protecting a county's voting | ||
system machines and list of registered voters from a cyber attack. | ||
(c) The secretary of state, using existing resources, may | ||
contract with a qualified vendor to conduct the study required by | ||
this section. | ||
(d) This section expires January 1, 2019. | ||
SECTION 15. (a) The lieutenant governor shall establish a | ||
Senate Select Committee on Cybersecurity and the speaker of the | ||
house of representatives shall establish a House Select Committee | ||
on Cybersecurity to, jointly or separately, study: | ||
(1) cybersecurity in this state; | ||
(2) the information security plans of each state | ||
agency; and | ||
(3) the risks and vulnerabilities of state agency | ||
cybersecurity. | ||
(b) Not later than November 30, 2017: | ||
(1) the lieutenant governor shall appoint five | ||
senators to the Senate Select Committee on Cybersecurity, one of | ||
whom shall be designated as chair; and | ||
(2) the speaker of the house of representatives shall | ||
appoint five state representatives to the House Select Committee on | ||
Cybersecurity, one of whom shall be designated as chair. | ||
(c) The committees established under this section shall | ||
convene separately at the call of the chair of the respective | ||
committees, or jointly at the call of both chairs. In joint | ||
meetings, the chairs of each committee shall act as joint chairs. | ||
(d) Following consideration of the issues listed in | ||
Subsection (a) of this section, the committees established under | ||
this section shall jointly adopt recommendations on state | ||
cybersecurity and report in writing to the legislature any findings | ||
and adopted recommendations not later than January 13, 2019. | ||
(e) This section expires September 1, 2019. | ||
SECTION 16. (a) In this section, "state agency" means a | ||
board, commission, office, department, council, authority, or | ||
other agency in the executive or judicial branch of state | ||
government that is created by the constitution or a statute of this | ||
state. The term does not include a university system or institution | ||
of higher education as those terms are defined by Section 61.003, | ||
Education Code. | ||
(b) The Department of Information Resources, in | ||
consultation with the Texas State Library and Archives Commission, | ||
shall conduct a study on state agency digital data storage and | ||
records management practices and the associated costs to this | ||
state. | ||
(c) The study required under this section must examine: | ||
(1) the current digital data storage practices of | ||
state agencies in this state; | ||
(2) the costs associated with those digital data | ||
storage practices; | ||
(3) the digital records management and data | ||
classification policies of state agencies and whether the state | ||
agencies are consistently complying with the established policies; | ||
(4) whether the state agencies are storing digital | ||
data that exceeds established retention requirements and the cost | ||
of that unnecessary storage; | ||
(5) the adequacy of storage systems used by state | ||
agencies to securely maintain confidential digital records; | ||
(6) possible solutions and improvements recommended | ||
by the state agencies for reducing state costs and increasing | ||
security for digital data storage and records management; and | ||
(7) the security level and possible benefits of and | ||
the cost savings from using cloud computing services for agency | ||
data storage, data classification, and records management. | ||
(d) Each state agency shall participate in the study | ||
required by this section and provide appropriate assistance and | ||
information to the Department of Information Resources and the | ||
Texas State Library and Archives Commission. | ||
(e) Not later than December 1, 2018, the Department of | ||
Information Resources shall issue a report on the study required | ||
under this section and recommendations for reducing state costs and | ||
for improving efficiency in digital data storage and records | ||
management to the lieutenant governor, the speaker of the house of | ||
representatives, and the appropriate standing committees of the | ||
house of representatives and the senate. | ||
(f) This section expires September 1, 2019. | ||
SECTION 17. The changes in law made by this Act do not apply | ||
to the Electric Reliability Council of Texas. | ||
SECTION 18. This Act takes effect September 1, 2017. | ||
______________________________ | ______________________________ | |
President of the Senate | Speaker of the House | |
I certify that H.B. No. 8 was passed by the House on April 25, | ||
2017, by the following vote: Yeas 145, Nays 0, 2 present, not | ||
voting; and that the House concurred in Senate amendments to H.B. | ||
No. 8 on May 27, 2017, by the following vote: Yeas 139, Nays 7, 2 | ||
present, not voting. | ||
______________________________ | ||
Chief Clerk of the House | ||
I certify that H.B. No. 8 was passed by the Senate, with | ||
amendments, on May 24, 2017, by the following vote: Yeas 31, Nays | ||
0. | ||
______________________________ | ||
Secretary of the Senate | ||
APPROVED: __________________ | ||
Date | ||
__________________ | ||
Governor |