Bill Text: TX HB8 | 2017-2018 | 85th Legislature | Comm Sub
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to cybersecurity for state agency information resources.
Spectrum: Moderate Partisan Bill (Republican 13-3)
Status: (Passed) 2017-06-12 - Effective on 9/1/17 [HB8 Detail]
Download: Texas-2017-HB8-Comm_Sub.html
Bill Title: Relating to cybersecurity for state agency information resources.
Spectrum: Moderate Partisan Bill (Republican 13-3)
Status: (Passed) 2017-06-12 - Effective on 9/1/17 [HB8 Detail]
Download: Texas-2017-HB8-Comm_Sub.html
By: Capriglione, et al. (Senate Sponsor - Nelson) | H.B. No. 8 | |
(In the Senate - Received from the House April 26, 2017; | ||
May 3, 2017, read first time and referred to Committee on Business & | ||
Commerce; May 19, 2017, reported adversely, with favorable | ||
Committee Substitute by the following vote: Yeas 9, Nays 0; | ||
May 19, 2017, sent to printer.) | ||
COMMITTEE SUBSTITUTE FOR H.B. No. 8 | By: Creighton |
|
||
|
||
relating to cybersecurity for state agency information resources. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. This Act may be cited as the Texas Cybersecurity | ||
Act. | ||
SECTION 2. Section 551.089, Government Code, is amended to | ||
read as follows: | ||
Sec. 551.089. DELIBERATION REGARDING SECURITY DEVICES OR | ||
SECURITY AUDITS; CLOSED MEETING [ |
||
|
||
|
||
conduct an open meeting to deliberate: | ||
(1) security assessments or deployments relating to | ||
information resources technology; | ||
(2) network security information as described by | ||
Section 2059.055(b); or | ||
(3) the deployment, or specific occasions for | ||
implementation, of security personnel, critical infrastructure, or | ||
security devices. | ||
SECTION 3. Section 552.139, Government Code, is amended by | ||
adding Subsection (d) to read as follows: | ||
(d) When posting a contract on an Internet website as | ||
required by Section 2261.253, a state agency shall redact | ||
information made confidential by this section or excepted from | ||
public disclosure by this section. Redaction under this subsection | ||
does not except information from the requirements of Section | ||
552.021. | ||
SECTION 4. Subchapter C, Chapter 2054, Government Code, is | ||
amended by adding Section 2054.0594 to read as follows: | ||
Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS CENTER. | ||
(a) The department shall establish an information sharing and | ||
analysis center to provide a forum for state agencies to share | ||
information regarding cybersecurity threats, best practices, and | ||
remediation strategies. | ||
(b) The department shall appoint persons from appropriate | ||
state agencies to serve as representatives to the information | ||
sharing and analysis center. | ||
(c) The department, using funds other than funds | ||
appropriated to the department in a general appropriations act, | ||
shall provide administrative support to the information sharing and | ||
analysis center. | ||
SECTION 5. Sections 2054.077(b) and (e), Government Code, | ||
are amended to read as follows: | ||
(b) The information resources manager of a state agency may | ||
prepare or have prepared a report, including an executive summary | ||
of the findings of the report, assessing the extent to which a | ||
computer, a computer program, a computer network, a computer | ||
system, a printer, an interface to a computer system, including | ||
mobile and peripheral devices, computer software, or data | ||
processing of the agency or of a contractor of the agency is | ||
vulnerable to unauthorized access or harm, including the extent to | ||
which the agency's or contractor's electronically stored | ||
information is vulnerable to alteration, damage, erasure, or | ||
inappropriate use. | ||
(e) Separate from the executive summary described by | ||
Subsection (b), a state agency [ |
||
|
||
prepare a summary of the agency's vulnerability report that does | ||
not contain any information the release of which might compromise | ||
the security of the state agency's or state agency contractor's | ||
computers, computer programs, computer networks, computer systems, | ||
printers, interfaces to computer systems, including mobile and | ||
peripheral devices, computer software, data processing, or | ||
electronically stored information. The summary is available to | ||
the public on request. | ||
SECTION 6. Section 2054.1125(b), Government Code, is | ||
amended to read as follows: | ||
(b) A state agency that owns, licenses, or maintains | ||
computerized data that includes sensitive personal information, | ||
confidential information, or information the disclosure of which is | ||
regulated by law shall, in the event of a breach or suspected breach | ||
of system security or an unauthorized exposure of that information: | ||
(1) comply[ |
||
|
||
Business & Commerce Code, to the same extent as a person who | ||
conducts business in this state; and | ||
(2) not later than 48 hours after the discovery of the | ||
breach, suspected breach, or unauthorized exposure, notify: | ||
(A) the department, including the chief | ||
information security officer and the state cybersecurity | ||
coordinator; or | ||
(B) if the breach, suspected breach, or | ||
unauthorized exposure involves election data, the secretary of | ||
state. | ||
SECTION 7. Section 2054.133, Government Code, is amended by | ||
adding Subsections (b-1), (b-2), and (b-3) to read as follows: | ||
(b-1) The executive head and information security officer | ||
of each state agency shall annually review and approve in writing | ||
the agency's information security plan and strategies for | ||
addressing the agency's information resources systems that are at | ||
highest risk for security breaches. The plan at a minimum must | ||
include solutions that isolate and segment sensitive information | ||
and maintain architecturally sound and secured separation among | ||
networks. If a state agency does not have an information security | ||
officer, the highest ranking information security employee for the | ||
agency shall review and approve the plan and strategies. The | ||
executive head retains full responsibility for the agency's | ||
information security and any risks to that security. | ||
(b-2) Each state agency shall include in the agency's | ||
information security plan the actions the agency is taking to | ||
incorporate into the plan the core functions of "identify, protect, | ||
detect, respond, and recover" as recommended in the "Framework for | ||
Improving Critical Infrastructure Cybersecurity" of the United | ||
States Department of Commerce National Institute of Standards and | ||
Technology. The agency shall, at a minimum, identify any | ||
information the agency requires individuals to provide to the | ||
agency or the agency retains that is not necessary for the agency's | ||
operations. The agency may incorporate the core functions over a | ||
period of years. | ||
(b-3) A state agency's information security plan must | ||
include appropriate privacy and security standards that, at a | ||
minimum, require a vendor who offers cloud computing services or | ||
other software, applications, online services, or information | ||
technology solutions to any state agency to contractually warrant | ||
that data provided by the state to the vendor will be maintained in | ||
compliance with all applicable state and federal laws and rules as | ||
specified in the applicable scope of work, request for proposal, or | ||
other document requirements. | ||
SECTION 8. Section 2054.512, Government Code, is amended to | ||
read as follows: | ||
Sec. 2054.512. CYBERSECURITY [ |
||
COUNCIL. (a) The state cybersecurity coordinator shall [ |
||
establish and lead a cybersecurity council that includes public and | ||
private sector leaders and cybersecurity practitioners to | ||
collaborate on matters of cybersecurity concerning this state. | ||
(b) The cybersecurity council must include: | ||
(1) one member who is an employee of the office of the | ||
governor; | ||
(2) one member of the senate appointed by the | ||
lieutenant governor; | ||
(3) one member of the house of representatives | ||
appointed by the speaker of the house of representatives; and | ||
(4) additional members appointed by the state | ||
cybersecurity coordinator, including representatives of | ||
institutions of higher education and private sector leaders. | ||
(c) In appointing representatives from institutions of | ||
higher education to the cybersecurity council, the state | ||
cybersecurity coordinator shall consider appointing members of the | ||
Information Technology Council for Higher Education. | ||
(d) The cybersecurity council shall provide recommendations | ||
to the legislature on any legislation necessary to implement | ||
cybersecurity best practices and remediation strategies for this | ||
state. | ||
SECTION 9. Subchapter N-1, Chapter 2054, Government Code, | ||
is amended by adding Section 2054.515 to read as follows: | ||
Sec. 2054.515. AGENCY INFORMATION SECURITY ASSESSMENT AND | ||
REPORT. (a) At least once every two years, each state agency shall | ||
conduct an information security assessment of the agency's | ||
information resources systems, network systems, digital data | ||
storage systems, digital data security measures, and information | ||
resources vulnerabilities. | ||
(b) Not later than December 1 of the year in which a state | ||
agency conducts the assessment under Subsection (a), the agency | ||
shall report the results of the assessment to the department, the | ||
governor, the lieutenant governor, and the speaker of the house of | ||
representatives. | ||
(c) The department by rule may establish the requirements | ||
for the information security assessment and report required by this | ||
section. | ||
SECTION 10. Section 2054.575(a), Government Code, is | ||
amended to read as follows: | ||
(a) A state agency shall, with available funds, identify | ||
information security issues and develop a plan to prioritize the | ||
remediation and mitigation of those issues. The agency shall | ||
include in the plan: | ||
(1) procedures for reducing the agency's level of | ||
exposure with regard to information that alone or in conjunction | ||
with other information identifies an individual maintained on a | ||
legacy system of the agency; | ||
(2) the best value approach for modernizing, | ||
replacing, renewing, or disposing of a legacy system that maintains | ||
information critical to the agency's responsibilities; | ||
(3) an analysis of the percentage of state agency | ||
personnel in information technology, cybersecurity, or other | ||
cyber-related positions who currently hold the appropriate | ||
industry-recognized certifications as identified by the National | ||
Initiative for Cybersecurity Education; | ||
(4) the level of preparedness of state agency cyber | ||
personnel and potential personnel who do not hold the appropriate | ||
industry-recognized certifications to successfully complete the | ||
industry-recognized certification examinations; and | ||
(5) a strategy for mitigating any workforce-related | ||
discrepancy in information technology, cybersecurity, or other | ||
cyber-related positions with the appropriate training and | ||
industry-recognized certifications. | ||
SECTION 11. Section 2059.055(b), Government Code, is | ||
amended to read as follows: | ||
(b) Network security information is confidential under this | ||
section if the information is: | ||
(1) related to passwords, personal identification | ||
numbers, access codes, encryption, or other components of the | ||
security system of a governmental entity [ |
||
(2) collected, assembled, or maintained by or for a | ||
governmental entity to prevent, detect, or investigate criminal | ||
activity; or | ||
(3) related to an assessment, made by or for a | ||
governmental entity or maintained by a governmental entity, of the | ||
vulnerability of a network to criminal activity. | ||
SECTION 12. Subtitle B, Title 10, Government Code, is | ||
amended by adding Chapter 2061 to read as follows: | ||
CHAPTER 2061. INDIVIDUAL-IDENTIFYING INFORMATION | ||
Sec. 2061.001. DEFINITIONS. In this chapter: | ||
(1) "Cybersecurity risk" means a material threat of | ||
attack, damage, or unauthorized access to the networks, computers, | ||
software, or data storage of a state agency. | ||
(2) "State agency" means a department, commission, | ||
board, office, council, authority, or other agency in the | ||
executive, legislative, or judicial branch of state government, | ||
including a university system or institution of higher education, | ||
as defined by Section 61.003, Education Code, that is created by the | ||
constitution or a statute of this state. | ||
Sec. 2061.002. DESTRUCTION AUTHORIZED. (a) A state agency | ||
shall destroy or arrange for the destruction of information that | ||
presents a cybersecurity risk and alone or in conjunction with | ||
other information identifies an individual in connection with the | ||
agency's networks, computers, software, or data storage if the | ||
agency is otherwise prohibited by law from retaining the | ||
information for a period of years. | ||
(b) This section does not apply to a record involving | ||
criminal activity or a criminal investigation retained for law | ||
enforcement purposes. | ||
(c) A state agency may not destroy or arrange for the | ||
destruction of any election data before the third anniversary of | ||
the date the election to which the data pertains is held. | ||
(d) A state agency may not under any circumstance sell: | ||
(1) a person's Internet browsing history; | ||
(2) a person's application usage history; or | ||
(3) the functional equivalent of the information | ||
described in Subdivisions (1) and (2). | ||
SECTION 13. Chapter 276, Election Code, is amended by | ||
adding Section 276.011 to read as follows: | ||
Sec. 276.011. ELECTION CYBER ATTACK STUDY. (a) Not later | ||
than December 1, 2018, the secretary of state shall: | ||
(1) conduct a study regarding cyber attacks on | ||
election infrastructure; | ||
(2) prepare a public summary report on the study's | ||
findings that does not contain any information the release of which | ||
may compromise any election; | ||
(3) prepare a confidential report on specific findings | ||
and vulnerabilities that is exempt from disclosure under Chapter | ||
552, Government Code; and | ||
(4) submit to the standing committees of the | ||
legislature with jurisdiction over election procedures a copy of | ||
the report required under Subdivision (2) and a general compilation | ||
of the report required under Subdivision (3) that does not contain | ||
any information the release of which may compromise any election. | ||
(b) The study must include: | ||
(1) an investigation of vulnerabilities and risks for | ||
a cyber attack against a county's voting system machines or the list | ||
of registered voters; | ||
(2) information on any attempted cyber attack on a | ||
county's voting system machines or the list of registered voters; | ||
and | ||
(3) recommendations for protecting a county's voting | ||
system machines and list of registered voters from a cyber attack. | ||
(c) The secretary of state, using existing resources, may | ||
contract with a qualified vendor to conduct the study required by | ||
this section. | ||
(d) This section expires January 1, 2019. | ||
SECTION 14. (a) The lieutenant governor shall establish a | ||
Senate Select Committee on Cybersecurity and the speaker of the | ||
house of representatives shall establish a House Select Committee | ||
on Cybersecurity to, jointly or separately, study: | ||
(1) cybersecurity in this state; | ||
(2) the information security plans of each state | ||
agency; and | ||
(3) the risks and vulnerabilities of state agency | ||
cybersecurity. | ||
(b) Not later than November 30, 2017: | ||
(1) the lieutenant governor shall appoint five | ||
senators to the Senate Select Committee on Cybersecurity, one of | ||
whom shall be designated as chair; and | ||
(2) the speaker of the house of representatives shall | ||
appoint five state representatives to the House Select Committee on | ||
Cybersecurity, one of whom shall be designated as chair. | ||
(c) The committees established under this section shall | ||
convene separately at the call of the chair of the respective | ||
committees, or jointly at the call of both chairs. In joint | ||
meetings, the chairs of each committee shall act as joint chairs. | ||
(d) Following consideration of the issues listed in | ||
Subsection (a) of this section, the committees established under | ||
this section shall jointly adopt recommendations on state | ||
cybersecurity and report in writing to the legislature any findings | ||
and adopted recommendations not later than January 13, 2019. | ||
(e) This section expires September 1, 2019. | ||
SECTION 15. (a) In this section, "state agency" means a | ||
board, commission, office, department, council, authority, or | ||
other agency in the executive or judicial branch of state | ||
government that is created by the constitution or a statute of this | ||
state. The term does not include a university system or institution | ||
of higher education as those terms are defined by Section 61.003, | ||
Education Code. | ||
(b) The Department of Information Resources, in | ||
consultation with the Texas State Library and Archives Commission, | ||
shall conduct a study on state agency digital data storage and | ||
records management practices and the associated costs to this | ||
state. | ||
(c) The study required under this section must examine: | ||
(1) the current digital data storage practices of | ||
state agencies in this state; | ||
(2) the costs associated with those digital data | ||
storage practices; | ||
(3) the digital records management and data | ||
classification policies of state agencies and whether the state | ||
agencies are consistently complying with the established policies; | ||
(4) whether the state agencies are storing digital | ||
data that exceeds established retention requirements and the cost | ||
of that unnecessary storage; | ||
(5) the adequacy of storage systems used by state | ||
agencies to securely maintain confidential digital records; | ||
(6) possible solutions and improvements recommended | ||
by the state agencies for reducing state costs and increasing | ||
security for digital data storage and records management; and | ||
(7) the security level and possible benefits of and | ||
the cost savings from using cloud computing services for agency | ||
data storage, data classification, and records management. | ||
(d) Each state agency shall participate in the study | ||
required by this section and provide appropriate assistance and | ||
information to the Department of Information Resources and the | ||
Texas State Library and Archives Commission. | ||
(e) Not later than December 1, 2018, the Department of | ||
Information Resources shall issue a report on the study required | ||
under this section and recommendations for reducing state costs and | ||
for improving efficiency in digital data storage and records | ||
management to the lieutenant governor, the speaker of the house of | ||
representatives, and the appropriate standing committees of the | ||
house of representatives and the senate. | ||
(f) This section expires September 1, 2019. | ||
SECTION 16. The changes in law made by this Act do not apply | ||
to the Electric Reliability Council of Texas. | ||
SECTION 17. This Act takes effect September 1, 2017. | ||
* * * * * |