Bill Text: TX HB4214 | 2019-2020 | 86th Legislature | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to matters concerning governmental entities, including cybersecurity, governmental efficiencies, information resources, and emergency planning.
Spectrum: Slight Partisan Bill (Republican 8-3)
Status: (Engrossed - Dead) 2019-05-01 - Received from the House [HB4214 Detail]
Download: Texas-2019-HB4214-Introduced.html
Bill Title: Relating to matters concerning governmental entities, including cybersecurity, governmental efficiencies, information resources, and emergency planning.
Spectrum: Slight Partisan Bill (Republican 8-3)
Status: (Engrossed - Dead) 2019-05-01 - Received from the House [HB4214 Detail]
Download: Texas-2019-HB4214-Introduced.html
86R14336 AAF-D | ||
By: Capriglione | H.B. No. 4214 |
|
||
|
||
relating to matters concerning governmental entities, including | ||
cybersecurity, governmental efficiencies, information resources, | ||
and emergency planning. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Section 37.108(b), Education Code, is amended to | ||
read as follows: | ||
(b) At least once every three years, each school district or | ||
public junior college district shall conduct a safety and security | ||
audit of the district's facilities, including an information | ||
technology cybersecurity assessment. To the extent possible, a | ||
district shall follow safety and security audit procedures | ||
developed by the Texas School Safety Center or a comparable public | ||
or private entity. | ||
SECTION 2. Subchapter C, Chapter 61, Education Code, is | ||
amended by adding Section 61.09092 to read as follows: | ||
Sec. 61.09092. COORDINATION OF CYBERSECURITY COURSEWORK | ||
DEVELOPMENT. (a) In this section, "lower-division institution of | ||
higher education" means a public junior college, public state | ||
college, or public technical institute. | ||
(b) The board, in consultation with the Department of | ||
Information Resources, shall coordinate with lower-division | ||
institutions of higher education and entities that administer or | ||
award postsecondary industry certifications or other workforce | ||
credentials in cybersecurity to develop certificate programs or | ||
other courses of instruction leading toward those certifications or | ||
credentials that may be offered by lower-division institutions of | ||
higher education. | ||
(c) The board may adopt rules as necessary for the | ||
administration of this section. | ||
SECTION 3. Subchapter F, Chapter 401, Government Code, is | ||
amended by adding Section 401.106 to read as follows: | ||
Sec. 401.106. CHIEF INNOVATION OFFICER. (a) The governor | ||
shall appoint a chief innovation officer. | ||
(b) The chief innovation officer shall: | ||
(1) develop procedures and processes to improve | ||
internal state government efficiency and performance; | ||
(2) develop methods to improve the experience of | ||
residents, businesses, and local governments in interacting with | ||
state government; | ||
(3) in cooperation with the Department of Information | ||
Resources, increase the use of technology by state agencies to | ||
improve services provided by the agencies and to reduce state | ||
expenses and inefficiencies; | ||
(4) provide state agency personnel with training in | ||
skills that support innovation; | ||
(5) provide state agency managers with training to | ||
support innovation and encourage creative thinking; and | ||
(6) develop and apply measures to document | ||
improvements in state government innovation and in employee skills | ||
that support innovation. | ||
(c) In performing the duties required under Subsection (b), | ||
the chief innovation officer shall: | ||
(1) use strategic innovation; | ||
(2) promote open innovation; | ||
(3) introduce and use group tools and processes that | ||
encourage creative thinking; and | ||
(4) conduct market research to determine the best | ||
practices for increasing innovation and implement those best | ||
practices. | ||
SECTION 4. Section 418.004(1), Government Code, is amended | ||
to read as follows: | ||
(1) "Disaster" means the occurrence or imminent threat | ||
of widespread or severe damage, injury, or loss of life or property | ||
resulting from any natural or man-made cause, including fire, | ||
flood, earthquake, wind, storm, wave action, oil spill or other | ||
water contamination, volcanic activity, epidemic, air | ||
contamination, blight, drought, infestation, explosion, riot, | ||
hostile military or paramilitary action, extreme heat, cyber | ||
attack, other public calamity requiring emergency action, or energy | ||
emergency. | ||
SECTION 5. Subchapter B, Chapter 421, Government Code, is | ||
amended by adding Section 421.027 to read as follows: | ||
Sec. 421.027. CYBER INCIDENT STUDY AND RESPONSE PLAN. (a) | ||
In this section: | ||
(1) "Cyber incident" means an event occurring on or | ||
conducted through a computer network that actually or imminently | ||
jeopardizes the integrity, confidentiality, or availability of | ||
computers, information or communications systems or networks, | ||
physical or virtual infrastructure controlled by computers or | ||
information systems, or information on the computers or systems. | ||
The term includes a vulnerability in implementation or in an | ||
information system, system security procedure, or internal control | ||
that could be exploited by a threat source. | ||
(2) "Significant cyber incident" means a cyber | ||
incident, or a group of related cyber incidents, likely to result in | ||
demonstrable harm to state security interests, foreign relations, | ||
or the economy of this state or to the public confidence, civil | ||
liberties, or public health and safety of the residents of this | ||
state. | ||
(b) The council, in cooperation with the Department of | ||
Information Resources, shall: | ||
(1) conduct a study regarding cyber incidents and | ||
significant cyber incidents affecting state agencies and critical | ||
infrastructure that is owned, operated, or controlled by agencies; | ||
and | ||
(2) develop a comprehensive state response plan to | ||
provide a format for each state agency to develop an | ||
agency-specific response plan and to implement the plan into the | ||
agency's information security plan required under Section 2054.133 | ||
to be implemented by the agency in the event of a cyber incident or | ||
significant cyber incident affecting the agency or critical | ||
infrastructure that is owned, operated, or controlled by the | ||
agency. | ||
(c) Not later than September 1, 2020, the council shall | ||
deliver the response plan and a report on the findings of the study | ||
to: | ||
(1) the public safety director of the Department of | ||
Public Safety; | ||
(2) the governor; | ||
(3) the lieutenant governor; | ||
(4) the speaker of the house of representatives; | ||
(5) the chair of the committee of the senate having | ||
primary jurisdiction over homeland security matters; and | ||
(6) the chair of the committee of the house of | ||
representatives having primary jurisdiction over homeland security | ||
matters. | ||
(d) The response plan required by Subsection (b) and the | ||
report required by Subsection (c) are not public information for | ||
purposes of Chapter 552. | ||
(e) This section expires December 1, 2020. | ||
SECTION 6. Subchapter F, Chapter 437, Government Code, is | ||
amended by adding Section 437.255 to read as follows: | ||
Sec. 437.255. ASSISTING TEXAS STATE GUARD WITH CYBER | ||
OPERATIONS. To serve the state and safeguard the public from | ||
malicious cyber activity, the governor may command the Texas | ||
National Guard to assist the Texas State Guard with defending the | ||
state's cyber operations. | ||
SECTION 7. The heading to Section 656.047, Government Code, | ||
is amended to read as follows: | ||
Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION | ||
EXAMINATION EXPENSES. | ||
SECTION 8. Section 656.047, Government Code, is amended by | ||
adding Subsection (a-1) to read as follows: | ||
(a-1) A state agency may spend public funds as appropriate | ||
to reimburse a state agency employee or administrator who serves in | ||
an information technology, cybersecurity, or other cyber-related | ||
position for fees associated with industry-recognized | ||
certification examinations. | ||
SECTION 9. Section 2054.059, Government Code, is amended to | ||
read as follows: | ||
Sec. 2054.059. CYBERSECURITY. From available funds, the | ||
department shall: | ||
(1) establish and administer a clearinghouse for | ||
information relating to all aspects of protecting the cybersecurity | ||
of state agency information; | ||
(2) develop strategies and a framework for: | ||
(A) the securing of cyberinfrastructure by state | ||
agencies, including critical infrastructure; and | ||
(B) cybersecurity risk assessment and mitigation | ||
planning; | ||
(3) develop and provide training to state agencies, | ||
including training for new employees of state agencies, on | ||
cybersecurity measures and awareness; | ||
(4) provide assistance to state agencies on request | ||
regarding the strategies and framework developed under Subdivision | ||
(2); and | ||
(5) promote public awareness of cybersecurity issues. | ||
SECTION 10. Subchapter C, Chapter 2054, Government Code, is | ||
amended by adding Section 2054.069 to read as follows: | ||
Sec. 2054.069. SECURITY STANDARDS FOR INTERNET | ||
CONNECTIVITY OF CERTAIN OBJECTS. (a) The department, in | ||
consultation with representatives of the information technology | ||
industry and voluntary standards organizations, shall develop a | ||
comprehensive set of risk-based security standards for the Internet | ||
connectivity of computing devices embedded in objects used or | ||
purchased by state agencies. | ||
(b) In developing the standards under Subsection (a), the | ||
department shall identify existing security standards and best | ||
practices and any known security gaps for a range of deployments, | ||
including critical systems and consumer usage. | ||
SECTION 11. Subchapter F, Chapter 2054, Government Code, is | ||
amended by adding Sections 2054.137, 2054.138, and 2054.139 to read | ||
as follows: | ||
Sec. 2054.137. INFORMATION SECURITY CONTINUOUS MONITORING | ||
PROGRAM. (a) In this section: | ||
(1) "Common control" means a security control that is | ||
inherited by one or more information resources technologies. | ||
(2) "Program" means the information security | ||
continuous monitoring program described by this section. | ||
(b) Each state agency shall: | ||
(1) develop and maintain an information security | ||
continuous monitoring program that: | ||
(A) allows the agency to maintain ongoing | ||
awareness of the security and vulnerabilities of and threats to the | ||
agency's information resources; | ||
(B) provides a clear understanding of | ||
organizational risk and helps the agency set priorities and manage | ||
the risk consistently; | ||
(C) addresses how the agency conducts ongoing | ||
authorizations of information resources technologies and the | ||
environments in which those technologies operate, including the | ||
agency's use of common controls; | ||
(D) aligns with the continuous monitoring | ||
guidance, cybersecurity framework, and risk management framework | ||
published in Special Publications 800-137 and 800-53 by the United | ||
States Department of Commerce National Institute of Standards and | ||
Technology; | ||
(E) addresses critical security controls, | ||
including hardware asset management, software asset management, | ||
configuration management, and vulnerability management; and | ||
(F) requires the integration of cybersecurity | ||
products; | ||
(2) establish a strategy and plan to implement a | ||
program for the agency; | ||
(3) to the extent practicable, establish information | ||
security continuous monitoring as an agency-wide solution and | ||
deploy enterprise information security continuous monitoring | ||
products and services; | ||
(4) submit specified security-related information to | ||
the dashboard established under Subsection (c)(3); | ||
(5) evaluate and upgrade information resources | ||
technologies and deploy new products, including agency and | ||
component information security continuous monitoring dashboards, | ||
as necessary to support information security continuous monitoring | ||
and the need to submit security-related information requested by | ||
the department; | ||
(6) require that external service providers hosting | ||
state information meet state information security requirements for | ||
information security continuous monitoring; and | ||
(7) ensure the agency has adequate staff with the | ||
necessary training to meet the objectives of the program. | ||
(c) The department shall: | ||
(1) oversee the implementation of this section by each | ||
state agency; | ||
(2) monitor and assist each state agency in | ||
implementation of a program and related strategies; and | ||
(3) establish a statewide dashboard for information | ||
security continuous monitoring that provides: | ||
(A) a government-wide view of information | ||
security continuous monitoring; and | ||
(B) technical specifications and guidance for | ||
state agencies on the requirements for submitting information for | ||
purposes of the dashboard. | ||
Sec. 2054.138. CYBERSECURITY THREAT SIMULATION EXERCISES. | ||
(a) In this section, "executive staff" means the management or | ||
senior level staff members of a state agency who directly report to | ||
the executive head of a state agency. | ||
(b) The executive head of a state agency and members of the | ||
executive staff may participate in cybersecurity threat simulation | ||
exercises with the agency's information resources technologies | ||
employees to test the cybersecurity capabilities of the agency. | ||
Sec. 2054.139. CYBERSECURITY TRAINING FOR NEW EMPLOYEES. | ||
Not later than the fifth business day after the date on which a new | ||
employee begins employment with a state agency, the employee shall | ||
complete the cybersecurity training developed by the department | ||
under Section 2054.059. | ||
SECTION 12. Section 2054.512(d), Government Code, is | ||
amended to read as follows: | ||
(d) The cybersecurity council shall: | ||
(1) consider the costs and benefits of establishing a | ||
computer emergency readiness team to address cyber attacks | ||
occurring in this state during routine and emergency situations; | ||
(2) establish criteria and priorities for addressing | ||
cybersecurity threats to critical state installations; | ||
(3) consolidate and synthesize best practices to | ||
assist state agencies in understanding and implementing | ||
cybersecurity measures that are most beneficial to this state; | ||
[ |
||
(4) assess the knowledge, skills, and capabilities of | ||
the existing information technology and cybersecurity workforce to | ||
mitigate and respond to cyber threats and develop recommendations | ||
for addressing immediate workforce deficiencies and ensuring a | ||
long-term pool of qualified applicants; and | ||
(5) ensure all middle and high schools have knowledge | ||
of and access to: | ||
(A) free cybersecurity courses and curriculum | ||
approved by the Texas Education Agency; | ||
(B) state and regional information sharing and | ||
analysis centers; and | ||
(C) contracting benefits, including as provided | ||
by Section 2054.0565. | ||
SECTION 13. Subchapter N-1, Chapter 2054, Government Code, | ||
is amended by adding Sections 2054.5155, 2054.519, 2054.5191, and | ||
2054.5192 to read as follows: | ||
Sec. 2054.5155. INDEPENDENT RISK ASSESSMENT. (a) At least | ||
once every five years, in accordance with department rules, each | ||
state agency shall: | ||
(1) contract with an independent third party selected | ||
from a list provided by the department to conduct an independent | ||
risk assessment of the agency's exposure to security risks in the | ||
agency's information resources systems and to conduct tests to | ||
practice securing systems and notifying all affected parties in the | ||
event of a data breach; and | ||
(2) submit the results of the independent risk | ||
assessment to the department. | ||
(b) The department annually shall compile the results of the | ||
independent risk assessments conducted in the preceding year and | ||
prepare: | ||
(1) a public report on the general security issues | ||
covered by the assessments that does not contain any information | ||
the release of which may compromise any state agency's information | ||
resources system; and | ||
(2) a confidential report on specific risks and | ||
vulnerabilities that is exempt from disclosure under Chapter 552. | ||
(c) The department annually shall submit to the legislature | ||
a comprehensive report on the results of the independent risk | ||
assessments conducted under Subsection (a) during the preceding | ||
year that includes the report prepared under Subsection (b)(1) and | ||
that identifies systematic or pervasive security risk | ||
vulnerabilities across state agencies and recommendations for | ||
addressing the vulnerabilities but does not contain any information | ||
the release of which may compromise any state agency's information | ||
resources system. | ||
Sec. 2054.519. VENDOR RESPONSIBILITY FOR CYBERSECURITY. A | ||
vendor that contracts with this state to provide information | ||
resources technology for a state agency at a cost to the agency of | ||
$1 million or more is responsible for addressing known | ||
cybersecurity risks associated with the technology and is | ||
responsible for any cost associated with addressing the identified | ||
cybersecurity risks. For a major information resources project, | ||
the vendor shall provide to state agency contracting personnel: | ||
(1) written acknowledgment of any known cybersecurity | ||
risks associated with the technology identified in the test | ||
conducted under Section 2054.516 or 2054.517; | ||
(2) proof that any individual servicing the contract | ||
holds the appropriate industry-recognized certifications as | ||
identified by the National Initiative for Cybersecurity Education; | ||
(3) a strategy for mitigating any technology or | ||
personnel-related cybersecurity risk identified in the test | ||
conducted under Section 2054.516 or 2054.517; and | ||
(4) an initial summary of any costs associated with | ||
addressing or remediating the identified technology or | ||
personnel-related cybersecurity risks as identified in | ||
collaboration with this state following a risk assessment. | ||
Sec. 2054.5191. CYBERSTAR PROGRAM; CERTIFICATE OF | ||
APPROVAL. (a) The state cybersecurity coordinator, in | ||
collaboration with the cybersecurity council and public and private | ||
entities in this state, shall develop best practices for | ||
cybersecurity that include: | ||
(1) measureable responsibilities, capacities, and | ||
policies for public and private entities to adopt to prepare for and | ||
respond to cyber incidents that compromise the confidentiality, | ||
integrity, and availability of the entities' information systems; | ||
(2) minimum training requirements and information for | ||
employees or other individuals who are most responsible for | ||
maintaining security of the entities' information systems; | ||
(3) compliance with: | ||
(A) for a municipality or county, the multihazard | ||
emergency operations plan and the safety and security audit | ||
required under Section 364.0101, Local Government Code; and | ||
(B) the National Institute of Standards and | ||
Technology standards for cybersecurity; | ||
(4) public service announcements to encourage | ||
cybersecurity awareness; and | ||
(5) coordination with local and state governmental | ||
entities. | ||
(b) The state cybersecurity coordinator shall establish a | ||
cyberstar certificate program to recognize public and private | ||
entities that implement the best practices for cybersecurity | ||
developed in accordance with Subsection (a). The program must | ||
allow a public or private entity to submit to the department a form | ||
certifying that the entity has complied with the best practices and | ||
the department to issue a certificate of approval to the entity. | ||
The entity may include the certificate of approval in | ||
advertisements and other public communications. | ||
(c) The state cybersecurity coordinator shall conduct an | ||
annual public event to promote best practices for cybersecurity. | ||
Sec. 2054.5192. ENCRYPTED SECURE LAYER SERVICES REQUIRED. | ||
Each state agency that maintains a publicly accessible Internet | ||
website that requires the submission of sensitive personally | ||
identifiable information shall use an encrypted secure | ||
communication protocol, including a secure hypertext transfer | ||
protocol. | ||
SECTION 14. Chapter 2054, Government Code, is amended by | ||
adding Subchapter R to read as follows: | ||
SUBCHAPTER R. INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES | ||
Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each | ||
state agency and local government shall, in the administration of | ||
the agency or local government, consider using next generation | ||
technologies, including cryptocurrency, blockchain technology, and | ||
artificial intelligence. | ||
Sec. 2054.602. LIABILITY EXEMPTION. A person who discloses | ||
to a state agency or other governmental entity information | ||
regarding a potential security issue with respect to the agency's | ||
or entity's information resources technologies is not liable for | ||
any civil damages resulting from disclosing the information unless | ||
the person stole, retained, or sold any data obtained as a result of | ||
the security issue. | ||
Sec. 2054.603. MATCHING GRANTS FOR LOCAL CYBERSECURITY | ||
PROJECTS. (a) In this section, "local governmental entity" means a | ||
political subdivision of the state, including a: | ||
(1) county; | ||
(2) municipality; | ||
(3) public school district; or | ||
(4) special-purpose district or authority. | ||
(b) Using available funds, the governor shall establish and | ||
administer a cybersecurity matching grant program to award grants | ||
to local governmental entities to defray the costs of cybersecurity | ||
projects. | ||
(c) A local governmental entity that applies to the office | ||
of the governor for a matching grant under this section must | ||
identify the source and amount of the local governmental entity's | ||
matching funds. If the office approves a grant application, the | ||
office shall award to the local governmental entity a grant amount | ||
equal to 150 percent of the amount committed by the entity. | ||
(d) The office may set a deadline for grant applications for | ||
each state fiscal year. | ||
(e) The governor shall adopt rules to implement the grant | ||
program created under this section. | ||
Sec. 2054.604. CYBERSECURITY THREAT ASSESSMENT. The | ||
department shall develop a cybersecurity threat assessment for | ||
local governments that provides best practices for preventing | ||
cybersecurity attacks. | ||
Sec. 2054.605. REPOSITORY FOR CYBERSECURITY EDUCATION AND | ||
TRAINING. The department, in conjunction with institutions of | ||
higher education as defined by Section 61.003, Education Code, | ||
shall maintain and promote a centralized repository of information | ||
on cybersecurity education and training that is available to any | ||
governmental entity in this state. | ||
SECTION 15. Subchapter B, Chapter 2155, Government Code, is | ||
amended by adding Section 2155.092 to read as follows: | ||
Sec. 2155.092. VENDOR CERTIFICATION FOR CERTAIN GOODS. (a) | ||
This section does not apply to a good provided as part of a major | ||
information resources project as defined by Section 2054.003. | ||
(b) A vendor offering to sell to the state a good embedded | ||
with a computing device capable of Internet connectivity must | ||
include with each bid, offer, proposal, or other expression of | ||
interest a written certification providing that the good does not | ||
contain, at the time of submitting the bid, offer, proposal, or | ||
expression of interest, a hardware, software, or firmware component | ||
with any known security vulnerability or defect. | ||
SECTION 16. The heading to Section 2157.007, Government | ||
Code, is amended to read as follows: | ||
Sec. 2157.007. [ |
||
[ |
||
SECTION 17. Section 2157.007, Government Code, is amended | ||
by amending Subsection (b) and adding Subsection (f) to read as | ||
follows: | ||
(b) A state agency shall ensure [ |
||
|
||
|
||
|
||
|
||
automated information system or a major information resources | ||
project under Section 2054.118, that the system or project is | ||
capable of being deployed and run on cloud computing services. | ||
(f) The department shall periodically review guidelines on | ||
state agency information that may be stored by a cloud computing or | ||
other storage service and the cloud computing or other storage | ||
services available to state agencies for that storage to ensure | ||
that an agency purchasing a major information resources project | ||
under Section 2054.118 selects the most affordable, secure, and | ||
efficient cloud computing or other storage service available to the | ||
agency. The guidelines must include appropriate privacy and | ||
security standards that, at a minimum, require a vendor who offers | ||
cloud computing or other storage services or other software, | ||
applications, online services, or information technology solutions | ||
to any state agency to demonstrate that data provided by the state | ||
to the vendor will be maintained in compliance with all applicable | ||
state and federal laws and rules. | ||
SECTION 18. Section 205.010(b), Local Government Code, is | ||
amended to read as follows: | ||
(b) A local government that owns, licenses, or maintains | ||
computerized data that includes sensitive personal information | ||
shall comply, in the event of a breach of system security, with the | ||
notification requirements of: | ||
(1) Section 364.0053; | ||
(2) Section 364.0102; and | ||
(3) Section 521.053, Business & Commerce Code, to the | ||
same extent as a person who conducts business in this state. | ||
SECTION 19. Subtitle C, Title 11, Local Government Code, is | ||
amended by adding Chapter 364 to read as follows: | ||
CHAPTER 364. LOCAL GOVERNMENT CYBERSECURITY AND EMERGENCY PLANNING | ||
AND RESPONSE | ||
SUBCHAPTER A. GENERAL PROVISIONS | ||
Sec. 364.0001. DEFINITIONS. In this chapter: | ||
(1) "Breach of system security" has the meaning | ||
assigned by Section 521.053, Business & Commerce Code. | ||
(2) "Cybersecurity coordinator" means the state | ||
cybersecurity coordinator designated under Section 2054.511, | ||
Government Code. | ||
(3) "Cybersecurity council" means the council | ||
established by the cybersecurity coordinator under Section | ||
2054.512, Government Code. | ||
(4) "Sensitive personal information" has the meaning | ||
assigned by Section 521.002, Business & Commerce Code. | ||
SUBCHAPTER B. REGIONAL INFORMATION SHARING AND ANALYSIS CENTERS | ||
Sec. 364.0051. ESTABLISHMENT. (a) The cybersecurity | ||
coordinator shall provide for the establishment and operation of | ||
not more than 20 regional information sharing and analysis centers. | ||
(b) Regional information sharing and analysis centers shall | ||
be located throughout the state so that the boundaries for each | ||
center are coextensive with the regional education service centers | ||
established under Chapter 8, Education Code. | ||
Sec. 364.0052. MEMBERSHIP. Each municipality with a | ||
population of more than 25,000 shall join the regional information | ||
sharing and analysis center in which the municipality is | ||
predominantly located. Any other political subdivision may join | ||
the regional information sharing and analysis center in which the | ||
political subdivision is predominantly located. | ||
Sec. 364.0053. SECURITY BREACH NOTIFICATION. (a) Not | ||
later than 48 hours after a political subdivision discovers a | ||
breach or suspected breach of system security or an unauthorized | ||
exposure of sensitive personal information, the political | ||
subdivision shall notify the regional information sharing and | ||
analysis center of the breach. The notification must describe the | ||
breach, suspected breach, or unauthorized exposure. | ||
(b) A regional information sharing and analysis center | ||
shall report to the Department of Information Resources any breach | ||
of system security reported by a political subdivision in which the | ||
person responsible for the breach: | ||
(1) obtained or modified specific critical or | ||
sensitive personal information; | ||
(2) established access to the political subdivision's | ||
information systems or infrastructure; or | ||
(3) undermined, severely disrupted, or destroyed a | ||
core service, program, or function of the political subdivision, or | ||
placed the person in a position to do so in the future. | ||
Sec. 364.0054. RULEMAKING. The cybersecurity coordinator | ||
may adopt rules necessary to implement this subchapter. | ||
SUBCHAPTER C. EMERGENCY PLANNING AND RESPONSE | ||
Sec. 364.0101. MULTIHAZARD EMERGENCY OPERATIONS PLAN; | ||
SAFETY AND SECURITY AUDIT. (a) This section applies to a | ||
municipality or county with a population of more than 100,000. | ||
(b) Each municipality and county shall adopt and implement a | ||
multihazard emergency operations plan for use in the municipality's | ||
and county's facilities. The plan must address mitigation, | ||
preparedness, response, and recovery as determined by the | ||
cybersecurity council and the governor's office of homeland | ||
security. The plan must provide for: | ||
(1) municipal or county employee training in | ||
responding to an emergency; | ||
(2) measures to ensure coordination with the | ||
Department of State Health Services, Department of Information | ||
Resources, local emergency management agencies, law enforcement | ||
agencies, local health departments, and fire departments in the | ||
event of an emergency; and | ||
(3) the implementation of a safety and security audit | ||
as required by Subsection (c). | ||
(c) At least once every three years, each municipality and | ||
county shall conduct a safety and security audit of the | ||
municipality's or county's information technology infrastructure. | ||
To the extent possible, a municipality or county shall follow | ||
safety and security audit procedures developed by the cybersecurity | ||
council or a comparable public or private entity. | ||
(d) A municipality or county shall report the results of the | ||
safety and security audit conducted under Subsection (c): | ||
(1) to the municipality's or county's governing body; | ||
and | ||
(2) in the manner required by the cybersecurity | ||
council, to the cybersecurity council. | ||
(e) Except as provided by Subsection (f), any document or | ||
information collected, developed, or produced during a safety and | ||
security audit conducted under Subsection (c) is not subject to | ||
disclosure under Chapter 552, Government Code. | ||
(f) A document relating to a municipality's or county's | ||
multihazard emergency operations plan is subject to disclosure if | ||
the document enables a person to: | ||
(1) verify that the municipality or county has | ||
established a plan and determine the agencies involved in the | ||
development of the plan and the agencies coordinating with the | ||
municipality or county to respond to an emergency; | ||
(2) verify that the municipality's or county's plan | ||
was reviewed within the last 12 months and determine the specific | ||
review dates; | ||
(3) verify that the plan addresses the phases of | ||
emergency management under Subsection (b); | ||
(4) verify that municipal or county employees have | ||
been trained to respond to an emergency and determine the types of | ||
training, the number of employees trained, and the person | ||
conducting the training; | ||
(5) verify that the municipality or county has | ||
completed a safety and security audit under Subsection (c) and | ||
determine the date the audit was conducted, the person conducting | ||
the audit, and the date the municipality or county presented the | ||
results of the audit to the municipality's or county's governing | ||
body; and | ||
(6) verify that the municipality or county has | ||
addressed any recommendations by the municipality's or county's | ||
governing body for improvement of the plan and determine the | ||
municipality's or county's progress within the last 12 months. | ||
Sec. 364.0102. RANSOMWARE PAYMENT. (a) In this section, | ||
"ransomware" has the meaning assigned by Section 33.023, Penal | ||
Code. | ||
(b) Not later than 48 hours after the time a political | ||
subdivision makes a ransomware payment, the political subdivision | ||
shall notify the cybersecurity coordinator of the payment. | ||
SECTION 20. Section 2054.513, Government Code, is repealed. | ||
SECTION 21. The Department of Information Resources shall | ||
conduct a study on the types of objects embedded with computing | ||
devices that are connected to the Internet that are purchased | ||
through the department. The Department of Information Resources | ||
shall submit a report on the study to the legislature not later than | ||
December 31, 2020. | ||
SECTION 22. (a) The lieutenant governor shall establish a | ||
Senate Select Committee on Cybersecurity and the speaker of the | ||
house of representatives shall establish a House Select Committee | ||
on Cybersecurity to, jointly or separately, study: | ||
(1) cybersecurity in this state; | ||
(2) the information security plans of each state | ||
agency; | ||
(3) the risks and vulnerabilities of state agency | ||
cybersecurity; and | ||
(4) information technology procurement. | ||
(b) Not later than November 30, 2019: | ||
(1) the lieutenant governor shall appoint five | ||
senators to the Senate Select Committee on Cybersecurity, one of | ||
whom shall be designated as chair; and | ||
(2) the speaker of the house of representatives shall | ||
appoint five state representatives to the House Select Committee on | ||
Cybersecurity, one of whom shall be designated as chair. | ||
(c) The committees established under this section shall | ||
convene separately at the call of the chair of the respective | ||
committees, or jointly at the call of both chairs. In joint | ||
meetings, the chairs of each committee shall act as joint chairs. | ||
(d) Following consideration of the issues listed in | ||
Subsection (a) of this section, the committees established under | ||
this section shall jointly adopt recommendations on state | ||
cybersecurity and report in writing to the legislature any findings | ||
and adopted recommendations not later than January 12, 2021. | ||
(e) This section expires September 1, 2021. | ||
SECTION 23. As soon as practicable after the effective date | ||
of this Act, the governor shall appoint a chief innovation officer | ||
as required by Section 401.106, Government Code, as added by this | ||
Act. | ||
SECTION 24. Section 2054.139, Government Code, as added by | ||
this Act, requiring a new employee of a state agency to complete | ||
cybersecurity training, applies only to an employee who begins | ||
employment on or after the effective date of this Act. | ||
SECTION 25. Section 2155.092, Government Code, as added by | ||
this Act, applies only in relation to a contract for which a state | ||
agency first advertises or otherwise solicits bids, offers, | ||
proposals, or other expressions of interest on or after the | ||
effective date of this Act. | ||
SECTION 26. Section 2157.007, Government Code, as amended | ||
by this Act, applies only with respect to a purchase made by a state | ||
agency on or after the effective date of this Act. A purchase made | ||
before the effective date of this Act is governed by the law in | ||
effect on the date the purchase was made, and the former law is | ||
continued in effect for that purpose. | ||
SECTION 27. This Act takes effect September 1, 2019. |