Bill Text: TX SB475 | 2021-2022 | 87th Legislature | Engrossed
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to state agency and local government information management and security, including establishment of the state risk and authorization management program and the Texas volunteer incident response team; authorizing fees.
Spectrum: Slight Partisan Bill (Republican 3-1)
Status: (Passed) 2021-06-14 - See remarks for effective date [SB475 Detail]
Download: Texas-2021-SB475-Engrossed.html
Bill Title: Relating to state agency and local government information management and security, including establishment of the state risk and authorization management program and the Texas volunteer incident response team; authorizing fees.
Spectrum: Slight Partisan Bill (Republican 3-1)
Status: (Passed) 2021-06-14 - See remarks for effective date [SB475 Detail]
Download: Texas-2021-SB475-Engrossed.html
By: Nelson, Kolkhorst | S.B. No. 475 | |
Zaffirini |
|
||
|
||
relating to state agency and local government information | ||
management and security, including establishment of the state risk | ||
and authorization management program and the Texas volunteer | ||
incident response team; authorizing fees. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Subchapter B, Chapter 2054, Government Code, is | ||
amended by adding Section 2054.0332 to read as follows: | ||
Sec. 2054.0332. DATA MANAGEMENT ADVISORY COMMITTEE. (a) | ||
The board shall appoint a data management advisory committee. | ||
(b) The advisory committee is composed of each data | ||
management officer designated by a state agency under Section | ||
2054.137 and the department's chief data officer. | ||
(c) The advisory committee shall: | ||
(1) advise the board and department on establishing | ||
statewide data ethics, principles, goals, strategies, standards, | ||
and architecture; | ||
(2) provide guidance and recommendations on governing | ||
and managing state agency data and data management systems, | ||
including recommendations to assist data management officers in | ||
fulfilling the duties assigned under Section 2054.137; and | ||
(3) establish performance objectives for state | ||
agencies from this state's data-driven policy goals. | ||
(d) Sections 2110.002 and 2110.008 do not apply to the | ||
advisory committee. | ||
SECTION 2. Subchapter C, Chapter 2054, Government Code, is | ||
amended by adding Section 2054.0593 to read as follows: | ||
Sec. 2054.0593. CLOUD COMPUTING STATE RISK AND | ||
AUTHORIZATION MANAGEMENT PROGRAM. (a) In this section, "cloud | ||
computing service" has the meaning assigned by Section 2157.007. | ||
(b) The department shall establish a state risk and | ||
authorization management program to provide a standardized | ||
approach for security assessment, authorization, and continuous | ||
monitoring of cloud computing services that process the data of a | ||
state agency. The program must allow a vendor to demonstrate | ||
compliance by submitting documentation that shows the vendor's | ||
compliance with a risk and authorization management program of: | ||
(1) the federal government; or | ||
(2) another state that the department approves. | ||
(c) The department by rule shall prescribe: | ||
(1) the categories and characteristics of cloud | ||
computing services subject to the state risk and authorization | ||
management program; and | ||
(2) the requirements for certification through the | ||
program of vendors that provide cloud computing services. | ||
(d) A state agency shall require each vendor contracting | ||
with the agency to provide cloud computing services for the agency | ||
to comply with the requirements of the state risk and authorization | ||
management program. The department shall evaluate vendors to | ||
determine whether a vendor qualifies for a certification issued by | ||
the department reflecting compliance with program requirements. | ||
(e) A state agency may not enter or renew a contract with a | ||
vendor to purchase cloud computing services for the agency that are | ||
subject to the state risk and authorization management program | ||
unless the vendor demonstrates compliance with program | ||
requirements. | ||
(f) A state agency shall require a vendor contracting with | ||
the agency to provide cloud computing services for the agency that | ||
are subject to the state risk and authorization management program | ||
to maintain program compliance and certification throughout the | ||
term of the contract. | ||
SECTION 3. Section 2054.0594, Government Code, is amended | ||
by adding Subsection (d) to read as follows: | ||
(d) The department shall establish a framework for regional | ||
cybersecurity working groups to execute mutual aid agreements that | ||
allow state agencies, local governments, regional planning | ||
commissions, public and private institutions of higher education, | ||
the private sector, and the incident response team established | ||
under Subchapter N-2 to assist with responding to a cybersecurity | ||
event in this state. A working group may be established within the | ||
geographic area of a regional planning commission established under | ||
Chapter 391, Local Government Code. The working group may | ||
establish a list of available cybersecurity experts and share | ||
resources to assist in responding to the cybersecurity event and | ||
recovery from the event. | ||
SECTION 4. Subchapter F, Chapter 2054, Government Code, is | ||
amended by adding Sections 2054.137 and 2054.138 to read as | ||
follows: | ||
Sec. 2054.137. DESIGNATED DATA MANAGEMENT OFFICER. (a) | ||
Each state agency with more than 150 full-time employees shall | ||
designate a full-time employee of the agency to serve as a data | ||
management officer. | ||
(b) The data management officer for a state agency shall: | ||
(1) coordinate with the chief data officer to ensure | ||
the agency performs the duties assigned under Section 2054.0286; | ||
(2) in accordance with department guidelines, | ||
establish an agency data governance program to identify the | ||
agency's data assets, exercise authority and management over the | ||
agency's data assets, and establish related processes and | ||
procedures to oversee the agency's data assets; and | ||
(3) coordinate with the agency's information security | ||
officer, the agency's records management officer, and the Texas | ||
State Library and Archives Commission to: | ||
(A) implement best practices for managing and | ||
securing data in accordance with state privacy laws and data | ||
privacy classifications; | ||
(B) ensure the agency's records management | ||
programs apply to all types of data storage media; | ||
(C) increase awareness of and outreach for the | ||
agency's records management programs within the agency; and | ||
(D) conduct a data maturity assessment of the | ||
agency's data governance program in accordance with the | ||
requirements established by department rule. | ||
(c) In accordance with department guidelines, the data | ||
management officer for the state agency shall post on the Texas Open | ||
Data Portal established by the department under Section 2054.070 at | ||
least three high-value data sets as defined by Section 2054.1265. | ||
The high-value data sets may not include information that is | ||
confidential or protected from disclosure under state or federal | ||
law. | ||
Sec. 2054.138. SECURITY CONTROLS FOR STATE AGENCY DATA. | ||
Each state agency entering into or renewing a contract with a vendor | ||
authorized to access, transmit, use, or store data for the agency | ||
shall include a provision in the contract requiring the vendor to | ||
meet the security controls the agency determines are proportionate | ||
with the agency's risk under the contract based on the sensitivity | ||
of the agency's data. The vendor must periodically provide to the | ||
agency evidence that the vendor meets the security controls | ||
required under the contract. | ||
SECTION 5. Subchapter G, Chapter 2054, Government Code, is | ||
amended by adding Section 2054.161 to read as follows: | ||
Sec. 2054.161. DATA CLASSIFICATION, SECURITY, AND | ||
RETENTION REQUIREMENTS. On initiation of an information resources | ||
technology project, including an application development project | ||
and any information resources projects described in this | ||
subchapter, a state agency shall classify the data produced from or | ||
used in the project and determine appropriate data security and | ||
applicable retention requirements under Section 441.185 for each | ||
classification. | ||
SECTION 6. Chapter 2054, Government Code, is amended by | ||
adding Subchapter N-2 to read as follows: | ||
SUBCHAPTER N-2. TEXAS VOLUNTEER INCIDENT RESPONSE TEAM | ||
Sec. 2054.52001. DEFINITIONS. In this subchapter: | ||
(1) "Incident response team" means the Texas volunteer | ||
incident response team established under Section 2054.52002. | ||
(2) "Participating entity" means a state agency, | ||
including an institution of higher education, or a local government | ||
that receives assistance under this subchapter during a | ||
cybersecurity event. | ||
(3) "Volunteer" means an individual who provides rapid | ||
response assistance during a cybersecurity event under this | ||
subchapter. | ||
Sec. 2054.52002. ESTABLISHMENT OF TEXAS VOLUNTEER INCIDENT | ||
RESPONSE TEAM. (a) The department shall establish the Texas | ||
volunteer incident response team to provide rapid response | ||
assistance to a participating entity under the department's | ||
direction during a cybersecurity event. | ||
(b) The department shall prescribe eligibility criteria for | ||
participation as a volunteer member of the incident response team, | ||
including a requirement that each volunteer have expertise in | ||
addressing cybersecurity events. | ||
Sec. 2054.52003. CONTRACT WITH VOLUNTEERS. The department | ||
shall enter into a contract with each volunteer the department | ||
approves to provide rapid response assistance under this | ||
subchapter. The contract must require the volunteer to: | ||
(1) acknowledge the confidentiality of information | ||
required by Section 2054.52010; | ||
(2) protect all confidential information from | ||
disclosure; | ||
(3) avoid conflicts of interest that might arise in a | ||
deployment under this subchapter; | ||
(4) comply with department security policies and | ||
procedures regarding information resources technologies; | ||
(5) consent to background screening required by the | ||
department; and | ||
(6) attest to the volunteer's satisfaction of any | ||
eligibility criteria established by the department. | ||
Sec. 2054.52004. VOLUNTEER QUALIFICATION. (a) The | ||
department shall require criminal history record information for | ||
each individual who accepts an invitation to become a volunteer. | ||
(b) The department may request other information relevant | ||
to the individual's qualification and fitness to serve as a | ||
volunteer. | ||
(c) The department has sole discretion to determine whether | ||
an individual is qualified to serve as a volunteer. | ||
Sec. 2054.52005. DEPLOYMENT. (a) In response to a | ||
cybersecurity event that affects multiple participating entities | ||
or a declaration by the governor of a state of disaster caused by a | ||
cybersecurity event, the department on request of a participating | ||
entity may deploy volunteers and provide rapid response assistance | ||
under the department's direction and the managed security services | ||
framework established under Section 2054.0594(d) to assist with the | ||
event. | ||
(b) A volunteer may only accept a deployment under this | ||
subchapter in writing. A volunteer may decline to accept a | ||
deployment for any reason. | ||
Sec. 2054.52006. CYBERSECURITY COUNCIL DUTIES. The | ||
cybersecurity council established under Section 2054.512 shall | ||
review and make recommendations to the department regarding the | ||
policies and procedures used by the department to implement this | ||
subchapter. The department may consult with the council to | ||
implement and administer this subchapter. | ||
Sec. 2054.52007. DEPARTMENT POWERS AND DUTIES. (a) The | ||
department shall: | ||
(1) approve the incident response tools the incident | ||
response team may use in responding to a cybersecurity event; | ||
(2) establish the eligibility criteria an individual | ||
must meet to become a volunteer; | ||
(3) develop and publish guidelines for operation of | ||
the incident response team, including the: | ||
(A) standards and procedures the department uses | ||
to determine whether an individual is eligible to serve as a | ||
volunteer; | ||
(B) process for an individual to apply for and | ||
accept incident response team membership; | ||
(C) requirements for a participating entity to | ||
receive assistance from the incident response team; and | ||
(D) process for a participating entity to request | ||
and obtain the assistance of the incident response team; and | ||
(4) adopt rules necessary to implement this | ||
subchapter. | ||
(b) The department may require a participating entity to | ||
enter into a contract as a condition for obtaining assistance from | ||
the incident response team. The contract must comply with the | ||
requirements of Chapters 771 and 791. | ||
(c) The department may provide appropriate training to | ||
prospective and approved volunteers. | ||
(d) In accordance with state law, the department may provide | ||
compensation for actual and necessary travel and living expenses | ||
incurred by a volunteer on a deployment using money available for | ||
that purpose. | ||
(e) The department may establish a fee schedule for | ||
participating entities receiving incident response team | ||
assistance. The amount of fees collected may not exceed the | ||
department's costs to operate the incident response team. | ||
Sec. 2054.52008. STATUS OF VOLUNTEER; LIABILITY. (a) A | ||
volunteer is not an agent, employee, or independent contractor of | ||
this state for any purpose and has no authority to obligate this | ||
state to a third party. | ||
(b) This state is not liable to a volunteer for personal | ||
injury or property damage sustained by the volunteer that arises | ||
from participation in the incident response team. | ||
Sec. 2054.52009. CIVIL LIABILITY. A volunteer who in good | ||
faith provides professional services in response to a cybersecurity | ||
event is not liable for civil damages as a result of the volunteer's | ||
acts or omissions in providing the services, except for wilful and | ||
wanton misconduct. This immunity is limited to services provided | ||
during the time of deployment for a cybersecurity event. | ||
Sec. 2054.52010. CONFIDENTIAL INFORMATION. Information | ||
written, produced, collected, assembled, or maintained by the | ||
department, a participating entity, the cybersecurity council, or a | ||
volunteer in the implementation of this subchapter is confidential | ||
and not subject to disclosure under Chapter 552 if the information: | ||
(1) contains the contact information for a volunteer; | ||
(2) identifies or provides a means of identifying a | ||
person who may, as a result of disclosure of the information, become | ||
a victim of a cybersecurity event; | ||
(3) consists of a participating entity's cybersecurity | ||
plans or cybersecurity-related practices; or | ||
(4) is obtained from a participating entity or from a | ||
participating entity's computer system in the course of providing | ||
assistance under this subchapter. | ||
SECTION 7. Section 2054.515, Government Code, is amended to | ||
read as follows: | ||
Sec. 2054.515. AGENCY INFORMATION SECURITY ASSESSMENT AND | ||
REPORT. (a) At least once every two years, each state agency shall | ||
conduct an information security assessment of the agency's: | ||
(1) information resources systems, network systems, | ||
digital data storage systems, digital data security measures, and | ||
information resources vulnerabilities; and | ||
(2) data governance program with participation from | ||
the agency's data management officer, if applicable, and in | ||
accordance with requirements established by department rule. | ||
(b) Not later than November 15 of each even-numbered year | ||
[ |
||
results of the assessment to: | ||
(1) the department; and | ||
(2) on request, the governor, the lieutenant governor, | ||
and the speaker of the house of representatives. | ||
(c) The department by rule shall [ |
||
requirements for the information security assessment and report | ||
required by this section. | ||
(d) The report and all documentation related to the | ||
information security assessment and report are confidential and not | ||
subject to disclosure under Chapter 552. The state agency or | ||
department may redact or withhold the information as confidential | ||
under Chapter 552 without requesting a decision from the attorney | ||
general under Subchapter G, Chapter 552. | ||
SECTION 8. Section 2054.601, Government Code, is amended to | ||
read as follows: | ||
Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each | ||
state agency and local government shall, in the administration of | ||
the agency or local government, consider using next generation | ||
technologies, including cryptocurrency, blockchain technology, | ||
robotic process automation, and artificial intelligence. | ||
SECTION 9. Chapter 2059, Government Code, is amended by | ||
adding Subchapter E to read as follows: | ||
SUBCHAPTER E. REGIONAL NETWORK SECURITY CENTERS | ||
Sec. 2059.201. ELIGIBLE PARTICIPATING ENTITIES. A state | ||
agency or an entity listed in Sections 2059.058(b)(3)-(5) is | ||
eligible to participate in cybersecurity support and network | ||
security provided by a regional network security center under this | ||
subchapter. | ||
Sec. 2059.202. ESTABLISHMENT OF REGIONAL NETWORK SECURITY | ||
CENTERS. (a) Subject to Subsection (b), the department may | ||
establish regional network security centers, under the | ||
department's managed security services framework established by | ||
Section 2054.0594(d), to assist in providing cybersecurity support | ||
and network security to regional offices or locations for state | ||
agencies and other eligible entities that elect to participate in | ||
and receive services through the center. | ||
(b) The department may establish more than one regional | ||
network security center only if the department determines the first | ||
center established by the department successfully provides to state | ||
agencies and other eligible entities the services the center has | ||
contracted to provide. | ||
(c) The department shall enter into an interagency contract | ||
in accordance with Chapter 771 or an interlocal contract in | ||
accordance with Chapter 791, as appropriate, with an eligible | ||
participating entity that elects to participate in and receive | ||
services through a regional network security center. | ||
Sec. 2059.203. REGIONAL NETWORK SECURITY CENTER LOCATIONS | ||
AND PHYSICAL SECURITY. (a) In creating and operating a regional | ||
network security center, the department shall partner with a | ||
university system or institution of higher education as defined by | ||
Section 61.003, Education Code, other than a public junior college. | ||
The system or institution shall: | ||
(1) serve as an education partner with the department | ||
for the regional network security center; and | ||
(2) enter into an interagency contract with the | ||
department in accordance with Chapter 771. | ||
(b) In selecting the location for a regional network | ||
security center, the department shall select a university system or | ||
institution of higher education that has supportive educational | ||
capabilities. | ||
(c) A university system or institution of higher education | ||
selected to serve as a regional network security center shall | ||
control and monitor all entrances to and critical areas of the | ||
center to prevent unauthorized entry. The system or institution | ||
shall restrict access to the center to only authorized individuals. | ||
(d) A local law enforcement entity or any entity providing | ||
security for a regional network security center shall monitor | ||
security alarms at the regional network security center subject to | ||
the availability of that service. | ||
(e) The department and a university system or institution of | ||
higher education selected to serve as a regional network security | ||
center shall restrict operational information to only center | ||
personnel, except as provided by Chapter 321. | ||
Sec. 2059.204. REGIONAL NETWORK SECURITY CENTERS SERVICES | ||
AND SUPPORT. The department may offer the following managed | ||
security services through a regional network security center: | ||
(1) real-time network security monitoring to detect | ||
and respond to network security events that may jeopardize this | ||
state and the residents of this state; | ||
(2) alerts and guidance for defeating network security | ||
threats, including firewall configuration, installation, | ||
management, and monitoring, intelligence gathering, and protocol | ||
analysis; | ||
(3) immediate response to counter network security | ||
activity that exposes this state and the residents of this state to | ||
risk, including complete intrusion detection system installation, | ||
management, and monitoring for participating entities; | ||
(4) development, coordination, and execution of | ||
statewide cybersecurity operations to isolate, contain, and | ||
mitigate the impact of network security incidents for participating | ||
entities; and | ||
(5) cybersecurity educational services. | ||
Sec. 2059.205. NETWORK SECURITY GUIDELINES AND STANDARD | ||
OPERATING PROCEDURES. (a) The department shall adopt and provide | ||
to each regional network security center appropriate network | ||
security guidelines and standard operating procedures to ensure | ||
efficient operation of the center with a maximum return on the | ||
state's investment. | ||
(b) The department shall revise the standard operating | ||
procedures as necessary to confirm network security. | ||
(c) Each eligible participating entity that elects to | ||
participate in a regional network security center shall comply with | ||
the network security guidelines and standard operating procedures. | ||
SECTION 10. Subtitle B, Title 10, Government Code, is | ||
amended by adding Chapter 2062 to read as follows: | ||
CHAPTER 2062. RESTRICTIONS ON STATE AGENCY USE OF CERTAIN | ||
INDIVIDUAL-IDENTIFYING INFORMATION | ||
Sec. 2062.001. DEFINITIONS. In this chapter: | ||
(1) "Biometric identifier" has the meaning assigned by | ||
Section 560.001. | ||
(2) "State agency" means a department, commission, | ||
board, office, council, authority, or other agency in the | ||
executive, legislative, or judicial branch of state government, | ||
including a university system or institution of higher education as | ||
defined by Section 61.003, Education Code, that is created by the | ||
constitution or a statute of this state. | ||
Sec. 2062.002. CONSENT REQUIRED BEFORE ACQUIRING, | ||
RETAINING, OR DISSEMINATING CERTAIN INFORMATION; RECORDS. (a) | ||
Except as provided by Subsection (b), a state agency may not: | ||
(1) use global positioning system technology, | ||
individual contact tracing, or technology designed to obtain | ||
biometric identifiers to acquire information that alone or in | ||
conjunction with other information identifies an individual or the | ||
individual's location without the individual's written or | ||
electronic consent; | ||
(2) retain information with respect to an individual | ||
described by Subdivision (1) without the individual's written or | ||
electronic consent; or | ||
(3) disseminate to a person the information described | ||
by Subdivision (1) with respect to an individual unless the state | ||
agency first obtains the individual's written or electronic | ||
consent. | ||
(b) A state agency may acquire, retain, and disseminate | ||
information described by Subsection (a) with respect to an | ||
individual without the individual's written or electronic consent | ||
if the acquisition, retention, or dissemination is: | ||
(1) required or permitted by a federal statute or by a | ||
state statute other than Chapter 552; or | ||
(2) made by or to a law enforcement agency for a law | ||
enforcement purpose. | ||
(c) A state agency shall retain the written or electronic | ||
consent of an individual obtained as required under this section in | ||
the agency's records until the contract or agreement under which | ||
the information is acquired, retained, or disseminated expires. | ||
SECTION 11. (a) Not later than December 1, 2021, the | ||
Department of Information Resources shall: | ||
(1) establish the state risk and authorization | ||
management program as required by Section 2054.0593, Government | ||
Code, as added by this Act; | ||
(2) establish the framework for regional | ||
cybersecurity working groups to execute mutual aid agreements as | ||
required under Section 2054.0594(d), Government Code, as added by | ||
this Act; and | ||
(3) establish the Texas volunteer incident response | ||
team as required by Subchapter N-2, Chapter 2054, Government Code, | ||
as added by this Act. | ||
(b) Each state agency shall ensure that: | ||
(1) each contract for cloud computing services the | ||
agency enters into or renews on or after January 1, 2022, complies | ||
with Section 2054.0593, Government Code, as added by this Act; and | ||
(2) each contract subject to Section 2054.138, | ||
Government Code, as added by this Act, that is executed on or after | ||
the effective date of this Act complies with that section. | ||
(c) Each state agency subject to Section 2054.137, | ||
Government Code, as added by this Act, shall designate a data | ||
management officer as soon as practicable after the effective date | ||
of this Act. | ||
(d) Each state agency subject to Section 2054.161, | ||
Government Code, as added by this Act, shall ensure each | ||
information resources technology project initiated on or after the | ||
effective date of this Act complies with that section. | ||
SECTION 12. Not later than October 15, 2022, the Department | ||
of Information Resources shall submit to the standing committees of | ||
the senate and house of representatives with primary jurisdiction | ||
over state agency cybersecurity a report on the department's | ||
activities and recommendations related to the Texas volunteer | ||
incident response team established as required by Subchapter N-2, | ||
Chapter 2054, Government Code, as added by this Act. | ||
SECTION 13. Chapter 2062, Government Code, as added by this | ||
Act, applies only to information acquired, retained, or | ||
disseminated by a state agency to another person on or after the | ||
effective date of this Act. | ||
SECTION 14. (a) Except as provided by Subsection (b) of | ||
this section, this Act takes effect immediately if it receives a | ||
vote of two-thirds of all the members elected to each house, as | ||
provided by Section 39, Article III, Texas Constitution. If this | ||
Act does not receive the vote necessary for immediate effect, this | ||
Act takes effect September 1, 2021. | ||
(b) Chapter 2062, Government Code, as added by this Act, | ||
takes effect September 1, 2021. |