Bill Text: TX HB8 | 2017-2018 | 85th Legislature | Enrolled
Bill Title: Relating to cybersecurity for state agency information resources.
Sponsorship: Moderate Partisan Bill (Republican 13-3)
Status: (Passed) 2017-06-12 - Effective on 9/1/17 [HB8 Detail]
Download: Texas-2017-HB8-Enrolled.html
| H.B. No. 8 | ||
|
|
||
| relating to cybersecurity for state agency information resources. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. This Act may be cited as the Texas Cybersecurity | ||
| Act. | ||
| SECTION 2. Section 325.011, Government Code, is amended to | ||
| read as follows: | ||
| Sec. 325.011. CRITERIA FOR REVIEW. The commission and its | ||
| staff shall consider the following criteria in determining whether | ||
| a public need exists for the continuation of a state agency or its | ||
| advisory committees or for the performance of the functions of the | ||
| agency or its advisory committees: | ||
| (1) the efficiency and effectiveness with which the | ||
| agency or the advisory committee operates; | ||
| (2)(A) an identification of the mission, goals, and | ||
| objectives intended for the agency or advisory committee and of the | ||
| problem or need that the agency or advisory committee was intended | ||
| to address; and | ||
| (B) the extent to which the mission, goals, and | ||
| objectives have been achieved and the problem or need has been | ||
| addressed; | ||
| (3)(A) an identification of any activities of the | ||
| agency in addition to those granted by statute and of the authority | ||
| for those activities; and | ||
| (B) the extent to which those activities are | ||
| needed; | ||
| (4) an assessment of authority of the agency relating | ||
| to fees, inspections, enforcement, and penalties; | ||
| (5) whether less restrictive or alternative methods of | ||
| performing any function that the agency performs could adequately | ||
| protect or provide service to the public; | ||
| (6) the extent to which the jurisdiction of the agency | ||
| and the programs administered by the agency overlap or duplicate | ||
| those of other agencies, the extent to which the agency coordinates | ||
| with those agencies, and the extent to which the programs | ||
| administered by the agency can be consolidated with the programs of | ||
| other state agencies; | ||
| (7) the promptness and effectiveness with which the | ||
| agency addresses complaints concerning entities or other persons | ||
| affected by the agency, including an assessment of the agency's | ||
| administrative hearings process; | ||
| (8) an assessment of the agency's rulemaking process | ||
| and the extent to which the agency has encouraged participation by | ||
| the public in making its rules and decisions and the extent to which | ||
| the public participation has resulted in rules that benefit the | ||
| public; | ||
| (9) the extent to which the agency has complied with: | ||
| (A) federal and state laws and applicable rules | ||
| regarding equality of employment opportunity and the rights and | ||
| privacy of individuals; and | ||
| (B) state law and applicable rules of any state | ||
| agency regarding purchasing guidelines and programs for | ||
| historically underutilized businesses; | ||
| (10) the extent to which the agency issues and | ||
| enforces rules relating to potential conflicts of interest of its | ||
| employees; | ||
| (11) the extent to which the agency complies with | ||
| Chapters 551 and 552 and follows records management practices that | ||
| enable the agency to respond efficiently to requests for public | ||
| information; | ||
| (12) the effect of federal intervention or loss of | ||
| federal funds if the agency is abolished; [ |
||
| (13) the extent to which the purpose and effectiveness | ||
| of reporting requirements imposed on the agency justifies the | ||
| continuation of the requirement; and | ||
| (14) an assessment of the agency's cybersecurity | ||
| practices using confidential information available from the | ||
| Department of Information Resources or any other appropriate state | ||
| agency. | ||
| SECTION 3. Section 551.089, Government Code, is amended to | ||
| read as follows: | ||
| Sec. 551.089. DELIBERATION REGARDING SECURITY DEVICES OR | ||
| SECURITY AUDITS; CLOSED MEETING [ |
||
|
|
||
|
|
||
| conduct an open meeting to deliberate: | ||
| (1) security assessments or deployments relating to | ||
| information resources technology; | ||
| (2) network security information as described by | ||
| Section 2059.055(b); or | ||
| (3) the deployment, or specific occasions for | ||
| implementation, of security personnel, critical infrastructure, or | ||
| security devices. | ||
| SECTION 4. Section 552.139, Government Code, is amended by | ||
| adding Subsection (d) to read as follows: | ||
| (d) When posting a contract on an Internet website as | ||
| required by Section 2261.253, a state agency shall redact | ||
| information made confidential by this section or excepted from | ||
| public disclosure by this section. Redaction under this subsection | ||
| does not except information from the requirements of Section | ||
| 552.021. | ||
| SECTION 5. Subchapter C, Chapter 2054, Government Code, is | ||
| amended by adding Section 2054.0594 to read as follows: | ||
| Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS CENTER. | ||
| (a) The department shall establish an information sharing and | ||
| analysis center to provide a forum for state agencies to share | ||
| information regarding cybersecurity threats, best practices, and | ||
| remediation strategies. | ||
| (b) The department shall appoint persons from appropriate | ||
| state agencies to serve as representatives to the information | ||
| sharing and analysis center. | ||
| (c) The department, using funds other than funds | ||
| appropriated to the department in a general appropriations act, | ||
| shall provide administrative support to the information sharing and | ||
| analysis center. | ||
| SECTION 6. Section 2054.076, Government Code, is amended by | ||
| adding Subsection (b-1) to read as follows: | ||
| (b-1) The department shall provide mandatory guidelines to | ||
| state agencies regarding the continuing education requirements for | ||
| cybersecurity training that must be completed by all information | ||
| resources employees of the agencies. The department shall consult | ||
| with the Information Technology Council for Higher Education on | ||
| applying the guidelines to institutions of higher education. | ||
| SECTION 7. Sections 2054.077(b) and (e), Government Code, | ||
| are amended to read as follows: | ||
| (b) The information resources manager of a state agency | ||
| shall [ |
||
| executive summary of the findings of the biennial report, not later | ||
| than October 15 of each even-numbered year, assessing the extent to | ||
| which a computer, a computer program, a computer network, a | ||
| computer system, a printer, an interface to a computer system, | ||
| including mobile and peripheral devices, computer software, or data | ||
| processing of the agency or of a contractor of the agency is | ||
| vulnerable to unauthorized access or harm, including the extent to | ||
| which the agency's or contractor's electronically stored | ||
| information is vulnerable to alteration, damage, erasure, or | ||
| inappropriate use. | ||
| (e) Separate from the executive summary described by | ||
| Subsection (b), a state agency [ |
||
|
|
||
| prepare a summary of the agency's vulnerability report that does | ||
| not contain any information the release of which might compromise | ||
| the security of the state agency's or state agency contractor's | ||
| computers, computer programs, computer networks, computer systems, | ||
| printers, interfaces to computer systems, including mobile and | ||
| peripheral devices, computer software, data processing, or | ||
| electronically stored information. The summary is available to | ||
| the public on request. | ||
| SECTION 8. Section 2054.1125(b), Government Code, is | ||
| amended to read as follows: | ||
| (b) A state agency that owns, licenses, or maintains | ||
| computerized data that includes sensitive personal information, | ||
| confidential information, or information the disclosure of which is | ||
| regulated by law shall, in the event of a breach or suspected breach | ||
| of system security or an unauthorized exposure of that information: | ||
| (1) comply[ |
||
|
|
||
| Business & Commerce Code, to the same extent as a person who | ||
| conducts business in this state; and | ||
| (2) not later than 48 hours after the discovery of the | ||
| breach, suspected breach, or unauthorized exposure, notify: | ||
| (A) the department, including the chief | ||
| information security officer and the state cybersecurity | ||
| coordinator; or | ||
| (B) if the breach, suspected breach, or | ||
| unauthorized exposure involves election data, the secretary of | ||
| state. | ||
| SECTION 9. Section 2054.512, Government Code, is amended to | ||
| read as follows: | ||
| Sec. 2054.512. CYBERSECURITY [ |
||
| COUNCIL. (a) The state cybersecurity coordinator shall [ |
||
| establish and lead a cybersecurity council that includes public and | ||
| private sector leaders and cybersecurity practitioners to | ||
| collaborate on matters of cybersecurity concerning this state. | ||
| (b) The cybersecurity council must include: | ||
| (1) one member who is an employee of the office of the | ||
| governor; | ||
| (2) one member of the senate appointed by the | ||
| lieutenant governor; | ||
| (3) one member of the house of representatives | ||
| appointed by the speaker of the house of representatives; and | ||
| (4) additional members appointed by the state | ||
| cybersecurity coordinator, including representatives of | ||
| institutions of higher education and private sector leaders. | ||
| (c) In appointing representatives from institutions of | ||
| higher education to the cybersecurity council, the state | ||
| cybersecurity coordinator shall consider appointing members of the | ||
| Information Technology Council for Higher Education. | ||
| (d) The cybersecurity council shall: | ||
| (1) consider the costs and benefits of establishing a | ||
| computer emergency readiness team to address cyber attacks | ||
| occurring in this state during routine and emergency situations; | ||
| (2) establish criteria and priorities for addressing | ||
| cybersecurity threats to critical state installations; | ||
| (3) consolidate and synthesize best practices to | ||
| assist state agencies in understanding and implementing | ||
| cybersecurity measures that are most beneficial to this state; and | ||
| (4) assess the knowledge, skills, and capabilities of | ||
| the existing information technology and cybersecurity workforce to | ||
| mitigate and respond to cyber threats and develop recommendations | ||
| for addressing immediate workforce deficiencies and ensuring a | ||
| long-term pool of qualified applicants. | ||
| (e) The cybersecurity council shall provide recommendations | ||
| to the legislature on any legislation necessary to implement | ||
| cybersecurity best practices and remediation strategies for this | ||
| state. | ||
| SECTION 10. Section 2054.133, Government Code, is amended | ||
| by adding Subsection (e) to read as follows: | ||
| (e) Each state agency shall include in the agency's | ||
| information security plan a written acknowledgment that the | ||
| executive director or other head of the agency, the chief financial | ||
| officer, and each executive manager as designated by the state | ||
| agency have been made aware of the risks revealed during the | ||
| preparation of the agency's information security plan. | ||
| SECTION 11. Subchapter N-1, Chapter 2054, Government Code, | ||
| is amended by adding Sections 2054.515, 2054.516, 2054.517, and | ||
| 2054.518 to read as follows: | ||
| Sec. 2054.515. AGENCY INFORMATION SECURITY ASSESSMENT AND | ||
| REPORT. (a) At least once every two years, each state agency shall | ||
| conduct an information security assessment of the agency's | ||
| information resources systems, network systems, digital data | ||
| storage systems, digital data security measures, and information | ||
| resources vulnerabilities. | ||
| (b) Not later than December 1 of the year in which a state | ||
| agency conducts the assessment under Subsection (a), the agency | ||
| shall report the results of the assessment to the department, the | ||
| governor, the lieutenant governor, and the speaker of the house of | ||
| representatives. | ||
| (c) The department by rule may establish the requirements | ||
| for the information security assessment and report required by this | ||
| section. | ||
| Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE | ||
| APPLICATIONS. Each state agency, other than an institution of | ||
| higher education subject to Section 2054.517, implementing an | ||
| Internet website or mobile application that processes any sensitive | ||
| personal information or confidential information must: | ||
| (1) submit a biennial data security plan to the | ||
| department not later than October 15 of each even-numbered year to | ||
| establish planned beta testing for the website or application; and | ||
| (2) subject the website or application to a | ||
| vulnerability and penetration test and address any vulnerability | ||
| identified in the test. | ||
| Sec. 2054.517. DATA SECURITY PROCEDURES FOR ONLINE AND | ||
| MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a) Each | ||
| institution of higher education, as defined by Section 61.003, | ||
| Education Code, shall adopt and implement a policy for Internet | ||
| website and mobile application security procedures that complies | ||
| with this section. | ||
| (b) Before deploying an Internet website or mobile | ||
| application that processes confidential information for an | ||
| institution of higher education, the developer of the website or | ||
| application for the institution must submit to the institution's | ||
| information security officer the information required under | ||
| policies adopted by the institution to protect the privacy of | ||
| individuals by preserving the confidentiality of information | ||
| processed by the website or application. At a minimum, the | ||
| institution's policies must require the developer to submit | ||
| information describing: | ||
| (1) the architecture of the website or application; | ||
| (2) the authentication mechanism for the website or | ||
| application; and | ||
| (3) the administrator level access to data included in | ||
| the website or application. | ||
| (c) Before deploying an Internet website or mobile | ||
| application described by Subsection (b), an institution of higher | ||
| education must subject the website or application to a | ||
| vulnerability and penetration test conducted internally or by an | ||
| independent third party. | ||
| (d) Each institution of higher education shall submit to the | ||
| department the policies adopted as required by Subsection (b). The | ||
| department shall review the policies and make recommendations for | ||
| appropriate changes. | ||
| Sec. 2054.518. CYBERSECURITY RISKS AND INCIDENTS. (a) The | ||
| department shall develop a plan to address cybersecurity risks and | ||
| incidents in this state. The department may enter into an agreement | ||
| with a national organization, including the National Cybersecurity | ||
| Preparedness Consortium, to support the department's efforts in | ||
| implementing the components of the plan for which the department | ||
| lacks resources to address internally. The agreement may include | ||
| provisions for: | ||
| (1) providing fee reimbursement for appropriate | ||
| industry-recognized certification examinations for and training to | ||
| state agencies preparing for and responding to cybersecurity risks | ||
| and incidents; | ||
| (2) developing and maintaining a cybersecurity risks | ||
| and incidents curriculum using existing programs and models for | ||
| training state agencies; | ||
| (3) delivering to state agency personnel with access | ||
| to state agency networks routine training related to appropriately | ||
| protecting and maintaining information technology systems and | ||
| devices, implementing cybersecurity best practices, and mitigating | ||
| cybersecurity risks and vulnerabilities; | ||
| (4) providing technical assistance services to | ||
| support preparedness for and response to cybersecurity risks and | ||
| incidents; | ||
| (5) conducting cybersecurity training and simulation | ||
| exercises for state agencies to encourage coordination in defending | ||
| against and responding to cybersecurity risks and incidents; | ||
| (6) assisting state agencies in developing | ||
| cybersecurity information-sharing programs to disseminate | ||
| information related to cybersecurity risks and incidents; and | ||
| (7) incorporating cybersecurity risk and incident | ||
| prevention and response methods into existing state emergency | ||
| plans, including continuity of operation plans and incident | ||
| response plans. | ||
| (b) In implementing the provisions of the agreement | ||
| prescribed by Subsection (a), the department shall seek to prevent | ||
| unnecessary duplication of existing programs or efforts of the | ||
| department or another state agency. | ||
| (c) In selecting an organization under Subsection (a), the | ||
| department shall consider the organization's previous experience | ||
| in conducting cybersecurity training and exercises for state | ||
| agencies and political subdivisions. | ||
| (d) The department shall consult with institutions of | ||
| higher education in this state when appropriate based on an | ||
| institution's expertise in addressing specific cybersecurity risks | ||
| and incidents. | ||
| SECTION 12. Section 2054.575(a), Government Code, is | ||
| amended to read as follows: | ||
| (a) A state agency shall, with available funds, identify | ||
| information security issues and develop a plan to prioritize the | ||
| remediation and mitigation of those issues. The agency shall | ||
| include in the plan: | ||
| (1) procedures for reducing the agency's level of | ||
| exposure with regard to information that alone or in conjunction | ||
| with other information identifies an individual maintained on a | ||
| legacy system of the agency; | ||
| (2) the best value approach for modernizing, | ||
| replacing, renewing, or disposing of a legacy system that maintains | ||
| information critical to the agency's responsibilities; | ||
| (3) analysis of the percentage of state agency | ||
| personnel in information technology, cybersecurity, or other | ||
| cyber-related positions who currently hold the appropriate | ||
| industry-recognized certifications as identified by the National | ||
| Initiative for Cybersecurity Education; | ||
| (4) the level of preparedness of state agency cyber | ||
| personnel and potential personnel who do not hold the appropriate | ||
| industry-recognized certifications to successfully complete the | ||
| industry-recognized certification examinations; and | ||
| (5) a strategy for mitigating any workforce-related | ||
| discrepancy in information technology, cybersecurity, or other | ||
| cyber-related positions with the appropriate training and | ||
| industry-recognized certifications. | ||
| SECTION 13. Section 2059.055(b), Government Code, is | ||
| amended to read as follows: | ||
| (b) Network security information is confidential under this | ||
| section if the information is: | ||
| (1) related to passwords, personal identification | ||
| numbers, access codes, encryption, or other components of the | ||
| security system of a governmental entity [ |
||
| (2) collected, assembled, or maintained by or for a | ||
| governmental entity to prevent, detect, or investigate criminal | ||
| activity; or | ||
| (3) related to an assessment, made by or for a | ||
| governmental entity or maintained by a governmental entity, of the | ||
| vulnerability of a network to criminal activity. | ||
| SECTION 14. Chapter 276, Election Code, is amended by | ||
| adding Section 276.011 to read as follows: | ||
| Sec. 276.011. ELECTION CYBER ATTACK STUDY. (a) Not later | ||
| than December 1, 2018, the secretary of state shall: | ||
| (1) conduct a study regarding cyber attacks on | ||
| election infrastructure; | ||
| (2) prepare a public summary report on the study's | ||
| findings that does not contain any information the release of which | ||
| may compromise any election; | ||
| (3) prepare a confidential report on specific findings | ||
| and vulnerabilities that is exempt from disclosure under Chapter | ||
| 552, Government Code; and | ||
| (4) submit to the standing committees of the | ||
| legislature with jurisdiction over election procedures a copy of | ||
| the report required under Subdivision (2) and a general compilation | ||
| of the report required under Subdivision (3) that does not contain | ||
| any information the release of which may compromise any election. | ||
| (b) The study must include: | ||
| (1) an investigation of vulnerabilities and risks for | ||
| a cyber attack against a county's voting system machines or the list | ||
| of registered voters; | ||
| (2) information on any attempted cyber attack on a | ||
| county's voting system machines or the list of registered voters; | ||
| and | ||
| (3) recommendations for protecting a county's voting | ||
| system machines and list of registered voters from a cyber attack. | ||
| (c) The secretary of state, using existing resources, may | ||
| contract with a qualified vendor to conduct the study required by | ||
| this section. | ||
| (d) This section expires January 1, 2019. | ||
| SECTION 15. (a) The lieutenant governor shall establish a | ||
| Senate Select Committee on Cybersecurity and the speaker of the | ||
| house of representatives shall establish a House Select Committee | ||
| on Cybersecurity to, jointly or separately, study: | ||
| (1) cybersecurity in this state; | ||
| (2) the information security plans of each state | ||
| agency; and | ||
| (3) the risks and vulnerabilities of state agency | ||
| cybersecurity. | ||
| (b) Not later than November 30, 2017: | ||
| (1) the lieutenant governor shall appoint five | ||
| senators to the Senate Select Committee on Cybersecurity, one of | ||
| whom shall be designated as chair; and | ||
| (2) the speaker of the house of representatives shall | ||
| appoint five state representatives to the House Select Committee on | ||
| Cybersecurity, one of whom shall be designated as chair. | ||
| (c) The committees established under this section shall | ||
| convene separately at the call of the chair of the respective | ||
| committees, or jointly at the call of both chairs. In joint | ||
| meetings, the chairs of each committee shall act as joint chairs. | ||
| (d) Following consideration of the issues listed in | ||
| Subsection (a) of this section, the committees established under | ||
| this section shall jointly adopt recommendations on state | ||
| cybersecurity and report in writing to the legislature any findings | ||
| and adopted recommendations not later than January 13, 2019. | ||
| (e) This section expires September 1, 2019. | ||
| SECTION 16. (a) In this section, "state agency" means a | ||
| board, commission, office, department, council, authority, or | ||
| other agency in the executive or judicial branch of state | ||
| government that is created by the constitution or a statute of this | ||
| state. The term does not include a university system or institution | ||
| of higher education as those terms are defined by Section 61.003, | ||
| Education Code. | ||
| (b) The Department of Information Resources, in | ||
| consultation with the Texas State Library and Archives Commission, | ||
| shall conduct a study on state agency digital data storage and | ||
| records management practices and the associated costs to this | ||
| state. | ||
| (c) The study required under this section must examine: | ||
| (1) the current digital data storage practices of | ||
| state agencies in this state; | ||
| (2) the costs associated with those digital data | ||
| storage practices; | ||
| (3) the digital records management and data | ||
| classification policies of state agencies and whether the state | ||
| agencies are consistently complying with the established policies; | ||
| (4) whether the state agencies are storing digital | ||
| data that exceeds established retention requirements and the cost | ||
| of that unnecessary storage; | ||
| (5) the adequacy of storage systems used by state | ||
| agencies to securely maintain confidential digital records; | ||
| (6) possible solutions and improvements recommended | ||
| by the state agencies for reducing state costs and increasing | ||
| security for digital data storage and records management; and | ||
| (7) the security level and possible benefits of and | ||
| the cost savings from using cloud computing services for agency | ||
| data storage, data classification, and records management. | ||
| (d) Each state agency shall participate in the study | ||
| required by this section and provide appropriate assistance and | ||
| information to the Department of Information Resources and the | ||
| Texas State Library and Archives Commission. | ||
| (e) Not later than December 1, 2018, the Department of | ||
| Information Resources shall issue a report on the study required | ||
| under this section and recommendations for reducing state costs and | ||
| for improving efficiency in digital data storage and records | ||
| management to the lieutenant governor, the speaker of the house of | ||
| representatives, and the appropriate standing committees of the | ||
| house of representatives and the senate. | ||
| (f) This section expires September 1, 2019. | ||
| SECTION 17. The changes in law made by this Act do not apply | ||
| to the Electric Reliability Council of Texas. | ||
| SECTION 18. This Act takes effect September 1, 2017. | ||
| ______________________________ | ______________________________ | |
| President of the Senate | Speaker of the House | |
| I certify that H.B. No. 8 was passed by the House on April 25, | ||
| 2017, by the following vote: Yeas 145, Nays 0, 2 present, not | ||
| voting; and that the House concurred in Senate amendments to H.B. | ||
| No. 8 on May 27, 2017, by the following vote: Yeas 139, Nays 7, 2 | ||
| present, not voting. | ||
| ______________________________ | ||
| Chief Clerk of the House | ||
| I certify that H.B. No. 8 was passed by the Senate, with | ||
| amendments, on May 24, 2017, by the following vote: Yeas 31, Nays | ||
| 0. | ||
| ______________________________ | ||
| Secretary of the Senate | ||
| APPROVED: __________________ | ||
| Date | ||
| __________________ | ||
| Governor | ||
