H.B. No. 3112

relating to the security of computer networks in state government. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Subtitle B, Title 10, Government Code, is amended by adding Chapter 2059 to read as follows:
Sec. 2059.001. DEFINITIONS. In this chapter: (1) "Center" means the network security center established under this chapter. (2) "Department" means the Department of Information Resources. (3) "Network security" means the protection of computer systems and technology assets from unauthorized external intervention or improper use. The term includes detecting, identifying, and countering malicious network activity to prevent the acquisition of information or disruption of information technology operations. (4) "State agency" has the meaning assigned by Section 2151.002.
[Sections 2059.002-2059.050 reserved for expansion]
Sec. 2059.051. DEPARTMENT RESPONSIBLE FOR PROVIDING COMPUTER NETWORK SECURITY SERVICES. The department shall provide network security services to: (1) state agencies; and (2) other entities by agreement as provided by Section 2059.058. Sec. 2059.052. SERVICES PROVIDED TO INSTITUTIONS OF HIGHER EDUCATION. The department may provide network security services to an institution of higher education, and may include an institution of higher education in a center, only if and to the extent approved by the Information Technology Council for Higher Education. Sec. 2059.053. RULES. The department may adopt rules necessary to implement this chapter. Sec. 2059.054. OWNERSHIP OR LEASE OF NECESSARY EQUIPMENT. The department may purchase in accordance with Chapters 2155, 2156, 2157, and 2158 any facilities or equipment necessary to provide network security services to state agencies. Sec. 2059.055. RESTRICTED INFORMATION. (a) Confidential network security information may be released only to officials responsible for the network, law enforcement, the state auditor's office, and agency or elected officials designated by the department. (b) Network security information is confidential under this section if the information is: (1) related to passwords, personal identification numbers, access codes, encryption, or other components of the security system of a state agency; (2) collected, assembled, or maintained by or for a governmental entity to prevent, detect, or investigate criminal activity; or (3) related to an assessment, made by or for a governmental entity or maintained by a governmental entity, of the vulnerability of a network to criminal activity. Sec. 2059.056. RESPONSIBILITY FOR EXTERNAL AND INTERNAL SECURITY THREATS. If the department provides network security services for a state agency or other entity under this chapter, the department is responsible for network security from external threats for that agency or entity. Network security management for that state agency or entity regarding internal threats remains the responsibility of that state agency or entity. Sec. 2059.057. BIENNIAL REPORT. (a) The department shall biennially prepare a report on: (1) the department's accomplishment of service objectives and other performance measures under this chapter; and (2) the status, including the financial performance, of the consolidated network security system provided through the center. (b) The department shall submit the report to: (1) the governor; (2) the lieutenant governor; (3) the speaker of the house of representatives; and (4) the state auditor's office. Sec. 2059.058. AGREEMENT TO PROVIDE NETWORK SECURITY SERVICES TO ENTITIES OTHER THAN STATE AGENCIES. (a) In this section, a "special district" means: (1) a school district; (2) a hospital district; (3) a water district; or (4) a district or special water authority, as defined by Section 49.001, Water Code. (b) In addition to the department's duty to provide network security services to state agencies under this chapter, the department by agreement may provide network security to: (1) each house of the legislature; (2) an agency that is not a state agency, including a legislative agency; (3) a political subdivision of this state, including a county, municipality, or special district; and (4) an independent organization, as defined by Section 39.151, Utilities Code. Sec. 2059.059. TRANSITION TO THE CENTER. (a) The department shall provide network security services for a state agency if the department makes that state agency's network a part of the consolidated state network through the center. (b) Before the construction and operation of the center, the department may provide network security services through agreements with entities that provide those services using existing network security centers or operations. (c) If the state agency or entity pays its proportional share of the network security services costs under this chapter, the department shall provide network security services to that state agency or other entity before the department makes the state agency's network a part of the consolidated state network. (d) This section expires September 1, 2011.
[Sections 2059.060-2059.100 reserved for expansion]
Sec. 2059.101. NETWORK SECURITY CENTER. The department shall establish a network security center to provide network security services to state agencies. Sec. 2059.102. MANAGEMENT AND USE OF NETWORK SECURITY SYSTEM. (a) The department shall manage the operation of network security system services for all state agencies at the center. (b) The department shall fulfill the network security requirements of each state agency to the extent practicable. However, the department shall protect criminal justice and homeland security networks of this state to the fullest extent possible in accordance with federal criminal justice and homeland security network standards. (c) All state agencies shall use the network security services provided through the center to the fullest extent possible. (d) A state agency may not purchase network security services unless the department determines that the agency's requirement for network security services cannot be met at a comparable cost through the center. The department shall develop an efficient process for this determination. Sec. 2059.103. CENTER LOCATION AND PHYSICAL SECURITY. (a) The department shall locate the center at a location that has an existing secure and restricted facility, cyber-security infrastructure, available trained workforce, and supportive educational capabilities. (b) The department shall control and monitor all entrances and critical areas to prevent unauthorized entry. The department shall limit access to authorized individuals. (c) Local law enforcement or security agencies shall monitor security alarms at the center according to service availability. (d) The department shall restrict operational information to personnel at the center, except as provided by Chapter 321. Sec. 2059.104. CENTER SERVICES AND SUPPORT. (a) The department shall provide the following managed security services through the center: (1) real-time network security monitoring to detect and respond to network security events that may jeopardize this state and the residents of this state, including vulnerability assessment services consisting of a comprehensive security posture assessment, external and internal threat analysis, and penetration testing; (2) continuous, 24-hour alerts and guidance for defeating network security threats, including firewall preconfiguration, installation, management and monitoring, intelligence gathering, protocol analysis, and user authentication; (3) immediate incident response to counter network security activity that exposes this state and the residents of this state to risk, including complete intrusion detection systems installation, management, and monitoring and a network operations call center; (4) development, coordination, and execution of statewide cyber-security operations to isolate, contain, and mitigate the impact of network security incidents at state agencies; (5) operation of a central authority for all statewide information assurance programs; and (6) the provision of educational services regarding network security. (b) The department may provide: (1) implementation of best-of-breed information security architecture engineering services, including public key infrastructure development, design, engineering, custom software development, and secure web design; or (2) certification and accreditation to ensure compliance with the applicable regulatory requirements for cyber-security and information technology risk management, including the use of proprietary tools to automate the assessment and enforcement of compliance. Sec. 2059.105. NETWORK SECURITY GUIDELINES AND STANDARD OPERATING PROCEDURES. (a) The department shall adopt and provide to all state agencies appropriate network security guidelines and standard operating procedures to ensure efficient operation of the center with a maximum return on investment for the state. (b) The department shall revise the standard operating procedures as necessary to confirm network security. (c) Each state agency shall comply with the network security policies, guidelines, and standard operating procedures. Sec. 2059.106. PRIVATE VENDOR. The department may contract with a private vendor to build and operate the center and act as an authorized agent to acquire, install, integrate, maintain, configure, and monitor the network security services and security infrastructure elements.
[Sections 2059.107-2059.150 reserved for expansion]
Sec. 2059.151. PAYMENT FOR SERVICES. The department shall develop a system of billings and charges for services provided in operating and administering the network security system that allocates the total state cost to each state agency or other entity served by the system based on proportionate usage. Sec. 2059.152. REVOLVING FUND ACCOUNT. (a) The comptroller shall establish in the state treasury a revolving fund account for the administration of this chapter. The account must be used as a depository for money received from state agencies and other entities served under this chapter. Receipts attributable to the centralized network security system must be deposited into the account and separately identified within the account. (b) The legislature may appropriate money for operating the system directly to the department, in which case the revolving fund account must be used to receive money due from local governmental entities and other agencies to the extent that their money is not subject to legislative appropriation. (c) The department shall maintain in the revolving fund account sufficient amounts to pay the liabilities of the center and related network security services. Sec. 2059.153. GRANTS. The department may apply for and use for purposes of this chapter the proceeds from grants offered by any federal agency or other source. SECTION 2. (a) In this section, "department" means the Department of Information Resources. (b) The department shall study the interoperability of the network security features for user-specific access as provided by this Act. As part of the study, the department shall determine the potential for interoperability of user access technology and identify resulting cost savings and security benefits to Texas. The department shall convene the necessary project staff from affected state agencies, as well as appropriate independent technology experts to determine feasibility, cost savings, scalability, and other relevant factors regarding integration of user-specific access features to state computer network systems that will enhance information security. (c) The department shall report on the results of the study and include recommendations in the report regarding integration and user-specific access features that will enhance computer network and information security. (d) Not later than December 31, 2006, the department shall file the report with: (1) the lieutenant governor; (2) the speaker of the house of representatives; and (3) the chairs of the house and senate committees with primary oversight over the department. SECTION 3. This Act takes effect September 1, 2005. ______________________________ ______________________________ President of the Senate Speaker of the House I certify that H.B. No. 3112 was passed by the House on May 13, 2005, by a non-record vote; and that the House concurred in Senate amendments to H.B. No. 3112 on May 27, 2005, by a non-record vote. ______________________________ Chief Clerk of the House I certify that H.B. No. 3112 was passed by the Senate, with amendments, on May 25, 2005, by the following vote: Yeas 31, Nays 0. ______________________________ Secretary of the Senate APPROVED: __________________ Date __________________ Governor