H.B. No. 1830
 
 
 
 
AN ACT
  relating to information technology security practices of state
  agencies.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 411.081(i), Government Code, is amended
  to read as follows:
         (i)  A criminal justice agency may disclose criminal history
  record information that is the subject of an order of nondisclosure
  to the following noncriminal justice agencies or entities only:
               (1)  the State Board for Educator Certification;
               (2)  a school district, charter school, private school,
  regional education service center, commercial transportation
  company, or education shared service arrangement;
               (3)  the Texas Medical Board;
               (4)  the Texas School for the Blind and Visually
  Impaired;
               (5)  the Board of Law Examiners;
               (6)  the State Bar of Texas;
               (7)  a district court regarding a petition for name
  change under Subchapter B, Chapter 45, Family Code;
               (8)  the Texas School for the Deaf;
               (9)  the Department of Family and Protective Services;
               (10)  the Texas Youth Commission;
               (11)  the Department of Assistive and Rehabilitative
  Services;
               (12)  the Department of State Health Services, a local
  mental health service, a local mental retardation authority, or a
  community center providing services to persons with mental illness
  or retardation;
               (13)  the Texas Private Security Board;
               (14)  a municipal or volunteer fire department;
               (15)  the Texas Board of Nursing;
               (16)  a safe house providing shelter to children in
  harmful situations;
               (17)  a public or nonprofit hospital or hospital
  district;
               (18)  the Texas Juvenile Probation Commission;
               (19)  the securities commissioner, the banking
  commissioner, the savings and mortgage lending commissioner, or the
  credit union commissioner;
               (20)  the Texas State Board of Public Accountancy;
               (21)  the Texas Department of Licensing and Regulation;
               (22)  the Health and Human Services Commission;
               (23)  the Department of Aging and Disability Services;
  [and]
               (24)  the Texas Education Agency; and
               (25)  the Department of Information Resources but only
  regarding an employee, applicant for employment, contractor,
  subcontractor, intern, or volunteer who provides network security
  services under Chapter 2059 to:
                     (A)  the Department of Information Resources; or
                     (B)  a contractor or subcontractor of the
  Department of Information Resources.
         SECTION 2.  Subchapter F, Chapter 411, Government Code, is
  amended by adding Section 411.1404 to read as follows:
         Sec. 411.1404.  ACCESS TO CRIMINAL HISTORY RECORD
  INFORMATION:  DEPARTMENT OF INFORMATION RESOURCES.  (a)  The
  Department of Information Resources is entitled to obtain from the
  department or the identification division of the Federal Bureau of
  Investigation the criminal history record information maintained
  by the department or division that relates to a person who is an
  employee, applicant for employment, contractor, subcontractor,
  intern, or other volunteer with the Department of Information
  Resources or with a contractor or subcontractor for the Department
  of Information Resources.
         (b)  Criminal history record information obtained by the
  Department of Information Resources under this section may not be
  released or disclosed except:
               (1)  by court order; or
               (2)  with the consent of the person who is the subject
  of the information.
         (c)  The Department of Information Resources shall destroy
  criminal history record information obtained under this section
  that relates to a person after the information is used to make an
  employment decision or to take a personnel action relating to the
  person who is the subject of the information.
         (d)  The Department of Information Resources may not obtain
  criminal history record information under this section unless the 
  Department of Information Resources first adopts policies and
  procedures that provide that evidence of a criminal conviction or
  other relevant information obtained from the criminal history
  record information does not automatically disqualify an individual
  from employment.  The policies and procedures adopted under this
  subsection must provide that the hiring official will determine, on
  a case-by-case basis, whether the individual is qualified for
  employment based on factors that include:
               (1)  the specific duties of the position;
               (2)  the number of offenses committed by the
  individual;
               (3)  the nature and seriousness of each offense;
               (4)  the length of time between the offense and the
  employment decision;
               (5)  the efforts by the individual at rehabilitation;
  and
               (6)  the accuracy of the information on the
  individual's employment application.
         SECTION 3.  Subchapter D, Chapter 551, Government Code, is
  amended by adding Section 551.089 to read as follows:
         Sec. 551.089.  DEPARTMENT OF INFORMATION RESOURCES. This
  chapter does not require the governing board of the Department of
  Information Resources to conduct an open meeting to deliberate:
               (1)  security assessments or deployments relating to
  information resources technology;
               (2)  network security information as described by
  Section 2059.055(b); or
               (3)  the deployment, or specific occasions for
  implementation, of security personnel, critical infrastructure, or
  security devices.
         SECTION 4.  Section 552.139, Government Code, is amended to
  read as follows:
         Sec. 552.139.  EXCEPTION: GOVERNMENT INFORMATION RELATED TO
  SECURITY OR INFRASTRUCTURE ISSUES FOR COMPUTERS.  (a)  Information
  is excepted from the requirements of Section 552.021 if it is
  information that relates to computer network security, to
  restricted information under Section 2059.055, or to the design,
  operation, or defense of a computer network.
         (b)  The following information is confidential:
               (1)  a computer network vulnerability report; and
               (2)  any other assessment of the extent to which data
  processing operations, a computer, [or] a computer program,
  network, system, or system interface, or software of a governmental
  body or of a contractor of a governmental body is vulnerable to
  unauthorized access or harm, including an assessment of the extent
  to which the governmental body's or contractor's electronically
  stored information containing sensitive or critical information is
  vulnerable to alteration, damage, [or] erasure, or inappropriate
  use.
         (c)  Notwithstanding the confidential nature of the
  information described in this section, the information may be
  disclosed to a bidder if the governmental body determines that
  providing the information is necessary for the bidder to provide an
  accurate bid.  A disclosure under this subsection is not a voluntary
  disclosure for purposes of Section 552.007.
         SECTION 5.  Sections 2054.077(b), (d), and (e), Government
  Code, are amended to read as follows:
         (b)  The information resources manager of a state agency may
  prepare or have prepared a report, including an executive summary
  of the findings of the report, assessing the extent to which a
  computer, a computer program, a computer network, a computer
  system, an interface to a computer system, computer software, or
  data processing of the agency or of a contractor of the agency is
  vulnerable to unauthorized access or harm, including the extent to
  which the agency's or contractor's electronically stored
  information is vulnerable to alteration, damage, [or] erasure, or
  inappropriate use.
         (d)  The [On request, the] information resources manager
  shall provide an electronic [a] copy of the vulnerability report on
  its completion to:
               (1)  the department;
               (2)  the state auditor; [and]
               (3)  the agency's executive director; and
               (4)  any other information technology security
  oversight group specifically authorized by the legislature to
  receive the report.
         (e)  Separate from the executive summary described by
  Subsection (b), a [A] state agency whose information resources
  manager has prepared or has had prepared a vulnerability report
  shall prepare a summary of the report that does not contain any
  information the release of which might compromise the security of
  the state agency's or state agency contractor's computers, computer
  programs, computer networks, computer systems, computer software,
  data processing, or electronically stored information. The summary
  is available to the public on request.
         SECTION 6.  Section 2054.100(b), Government Code, is amended
  to read as follows:
         (b)  The plan must describe the agency's current and proposed
  projects for the biennium, including how the projects will:
               (1)  benefit individuals in this state and benefit the
  state as a whole;
               (2)  use, to the fullest extent, technology owned or
  adapted by other state agencies;
               (3)  employ, to the fullest extent, the department's
  information technology standards, including Internet-based
  technology standards;
               (4)  expand, to the fullest extent, to serve residents
  of this state or to serve other state agencies;
               (5)  develop on time and on budget;
               (6)  produce quantifiable returns on investment; and
               (7)  meet any other criteria developed by the
  department or the quality assurance team.
         SECTION 7.  Subchapter B, Chapter 2059, Government Code, is
  amended by adding Section 2059.060 to read as follows:
         Sec. 2059.060.  VULNERABILITY TESTING OF NETWORK HARDWARE
  AND SOFTWARE.  (a)  The department shall adopt rules requiring, in
  state agency contracts for network hardware and software, a
  statement by the vendor certifying that the network hardware or
  software, as applicable, has undergone independent certification
  testing for known and relevant vulnerabilities.
         (b)  Rules adopted under Subsection (a) may:
               (1)  provide for vendor exemptions; and
               (2)  establish certification standards for testing
  network hardware and software for known and relevant
  vulnerabilities.
         (c)  Unless otherwise provided by rule, the required
  certification testing must be conducted under maximum load
  conditions in accordance with published performance claims of a
  hardware or software manufacturer, as applicable.
         SECTION 8.  (a)  The Department of Information Resources
  shall adopt the rules required by Section 2059.060, Government
  Code, as added by this Act, not later than September 1, 2010.
         (b)  The change in law made by Section 2059.060, Government
  Code, as added by this Act, applies only to a contract entered into
  on or after December 1, 2010.
         SECTION 9.  This Act takes effect September 1, 2009.
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
 
         I certify that H.B. No. 1830 was passed by the House on April
  2, 2009, by the following vote:  Yeas 144, Nays 0, 1 present, not
  voting; and that the House concurred in Senate amendments to H.B.
  No. 1830 on May 14, 2009, by the following vote:  Yeas 142, Nays 0,
  1 present, not voting.
 
  ______________________________
  Chief Clerk of the House   
 
         I certify that H.B. No. 1830 was passed by the Senate, with
  amendments, on May 7, 2009, by the following vote:  Yeas 31, Nays 0.
 
  ______________________________
  Secretary of the Senate   
  APPROVED: __________________
                  Date       
   
           __________________
                Governor