H.B. No. 8
 
 
 
 
AN ACT
  relating to cybersecurity for state agency information resources.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  This Act may be cited as the Texas Cybersecurity
  Act.
         SECTION 2.  Section 325.011, Government Code, is amended to
  read as follows:
         Sec. 325.011.  CRITERIA FOR REVIEW.  The commission and its
  staff shall consider the following criteria in determining whether
  a public need exists for the continuation of a state agency or its
  advisory committees or for the performance of the functions of the
  agency or its advisory committees:
               (1)  the efficiency and effectiveness with which the
  agency or the advisory committee operates;
               (2)(A)  an identification of the mission, goals, and
  objectives intended for the agency or advisory committee and of the
  problem or need that the agency or advisory committee was intended
  to address; and
                     (B)  the extent to which the mission, goals, and
  objectives have been achieved and the problem or need has been
  addressed;
               (3)(A)  an identification of any activities of the
  agency in addition to those granted by statute and of the authority
  for those activities; and
                     (B)  the extent to which those activities are
  needed;
               (4)  an assessment of authority of the agency relating
  to fees, inspections, enforcement, and penalties;
               (5)  whether less restrictive or alternative methods of
  performing any function that the agency performs could adequately
  protect or provide service to the public;
               (6)  the extent to which the jurisdiction of the agency
  and the programs administered by the agency overlap or duplicate
  those of other agencies, the extent to which the agency coordinates
  with those agencies, and the extent to which the programs
  administered by the agency can be consolidated with the programs of
  other state agencies;
               (7)  the promptness and effectiveness with which the
  agency addresses complaints concerning entities or other persons
  affected by the agency, including an assessment of the agency's
  administrative hearings process;
               (8)  an assessment of the agency's rulemaking process
  and the extent to which the agency has encouraged participation by
  the public in making its rules and decisions and the extent to which
  the public participation has resulted in rules that benefit the
  public;
               (9)  the extent to which the agency has complied with:
                     (A)  federal and state laws and applicable rules
  regarding equality of employment opportunity and the rights and
  privacy of individuals; and
                     (B)  state law and applicable rules of any state
  agency regarding purchasing guidelines and programs for
  historically underutilized businesses;
               (10)  the extent to which the agency issues and
  enforces rules relating to potential conflicts of interest of its
  employees;
               (11)  the extent to which the agency complies with
  Chapters 551 and 552 and follows records management practices that
  enable the agency to respond efficiently to requests for public
  information;
               (12)  the effect of federal intervention or loss of
  federal funds if the agency is abolished; [and]
               (13)  the extent to which the purpose and effectiveness
  of reporting requirements imposed on the agency justifies the
  continuation of the requirement; and
               (14)  an assessment of the agency's cybersecurity
  practices using confidential information available from the
  Department of Information Resources or any other appropriate state
  agency.
         SECTION 3.  Section 551.089, Government Code, is amended to
  read as follows:
         Sec. 551.089.  DELIBERATION REGARDING SECURITY DEVICES OR
  SECURITY AUDITS; CLOSED MEETING [DEPARTMENT OF INFORMATION
  RESOURCES]. This chapter does not require a governmental body [the
  governing board of the Department of Information Resources] to
  conduct an open meeting to deliberate:
               (1)  security assessments or deployments relating to
  information resources technology;
               (2)  network security information as described by
  Section 2059.055(b); or
               (3)  the deployment, or specific occasions for
  implementation, of security personnel, critical infrastructure, or
  security devices.
         SECTION 4.  Section 552.139, Government Code, is amended by
  adding Subsection (d) to read as follows:
         (d)  When posting a contract on an Internet website as
  required by Section 2261.253, a state agency shall redact
  information made confidential by this section or excepted from
  public disclosure by this section. Redaction under this subsection
  does not except information from the requirements of Section
  552.021.
         SECTION 5.  Subchapter C, Chapter 2054, Government Code, is
  amended by adding Section 2054.0594 to read as follows:
         Sec. 2054.0594.  INFORMATION SHARING AND ANALYSIS CENTER.
  (a) The department shall establish an information sharing and
  analysis center to provide a forum for state agencies to share
  information regarding cybersecurity threats, best practices, and
  remediation strategies.
         (b)  The department shall appoint persons from appropriate
  state agencies to serve as representatives to the information
  sharing and analysis center.
         (c)  The department, using funds other than funds
  appropriated to the department in a general appropriations act,
  shall provide administrative support to the information sharing and
  analysis center.
         SECTION 6.  Section 2054.076, Government Code, is amended by
  adding Subsection (b-1) to read as follows:
         (b-1)  The department shall provide mandatory guidelines to
  state agencies regarding the continuing education requirements for
  cybersecurity training that must be completed by all information
  resources employees of the agencies. The department shall consult
  with the Information Technology Council for Higher Education on
  applying the guidelines to institutions of higher education.
         SECTION 7.  Sections 2054.077(b) and (e), Government Code,
  are amended to read as follows:
         (b)  The information resources manager of a state agency
  shall [may] prepare or have prepared a report, including an
  executive summary of the findings of the biennial report, not later
  than October 15 of each even-numbered year, assessing the extent to
  which a computer, a computer program, a computer network, a
  computer system, a printer, an interface to a computer system,
  including mobile and peripheral devices, computer software, or data
  processing of the agency or of a contractor of the agency is
  vulnerable to unauthorized access or harm, including the extent to
  which the agency's or contractor's electronically stored
  information is vulnerable to alteration, damage, erasure, or
  inappropriate use.
         (e)  Separate from the executive summary described by
  Subsection (b), a state agency [whose information resources manager
  has prepared or has had prepared a vulnerability report] shall
  prepare a summary of the agency's vulnerability report that does
  not contain any information the release of which might compromise
  the security of the state agency's or state agency contractor's
  computers, computer programs, computer networks, computer systems,
  printers, interfaces to computer systems, including mobile and
  peripheral devices, computer software, data processing, or
  electronically stored information.  The summary is available to
  the public on request.
         SECTION 8.  Section 2054.1125(b), Government Code, is
  amended to read as follows:
         (b)  A state agency that owns, licenses, or maintains
  computerized data that includes sensitive personal information,
  confidential information, or information the disclosure of which is
  regulated by law shall, in the event of a breach or suspected breach
  of system security or an unauthorized exposure of that information:
               (1)  comply[, in the event of a breach of system
  security,] with the notification requirements of Section 521.053,
  Business & Commerce Code, to the same extent as a person who
  conducts business in this state; and
               (2)  not later than 48 hours after the discovery of the
  breach, suspected breach, or unauthorized exposure, notify:
                     (A)  the department, including the chief
  information security officer and the state cybersecurity
  coordinator; or
                     (B)  if the breach, suspected breach, or
  unauthorized exposure involves election data, the secretary of
  state.
         SECTION 9.  Section 2054.512, Government Code, is amended to
  read as follows:
         Sec. 2054.512.  CYBERSECURITY [PRIVATE INDUSTRY-GOVERNMENT]
  COUNCIL. (a) The state cybersecurity coordinator shall [may]
  establish and lead a cybersecurity council that includes public and
  private sector leaders and cybersecurity practitioners to
  collaborate on matters of cybersecurity concerning this state.
         (b)  The cybersecurity council must include:
               (1)  one member who is an employee of the office of the
  governor;
               (2)  one member of the senate appointed by the
  lieutenant governor;
               (3)  one member of the house of representatives
  appointed by the speaker of the house of representatives; and
               (4)  additional members appointed by the state
  cybersecurity coordinator, including representatives of
  institutions of higher education and private sector leaders.
         (c)  In appointing representatives from institutions of
  higher education to the cybersecurity council, the state
  cybersecurity coordinator shall consider appointing members of the
  Information Technology Council for Higher Education.
         (d)  The cybersecurity council shall:
               (1)  consider the costs and benefits of establishing a
  computer emergency readiness team to address cyber attacks
  occurring in this state during routine and emergency situations;
               (2)  establish criteria and priorities for addressing
  cybersecurity threats to critical state installations;
               (3)  consolidate and synthesize best practices to
  assist state agencies in understanding and implementing
  cybersecurity measures that are most beneficial to this state; and
               (4)  assess the knowledge, skills, and capabilities of
  the existing information technology and cybersecurity workforce to
  mitigate and respond to cyber threats and develop recommendations
  for addressing immediate workforce deficiencies and ensuring a
  long-term pool of qualified applicants.
         (e)  The cybersecurity council shall provide recommendations
  to the legislature on any legislation necessary to implement
  cybersecurity best practices and remediation strategies for this
  state.
         SECTION 10.  Section 2054.133, Government Code, is amended
  by adding Subsection (e) to read as follows:
         (e)  Each state agency shall include in the agency's
  information security plan a written acknowledgment that the
  executive director or other head of the agency, the chief financial
  officer, and each executive manager as designated by the state
  agency have been made aware of the risks revealed during the
  preparation of the agency's information security plan.
         SECTION 11.  Subchapter N-1, Chapter 2054, Government Code,
  is amended by adding Sections 2054.515, 2054.516, 2054.517, and
  2054.518 to read as follows:
         Sec. 2054.515.  AGENCY INFORMATION SECURITY ASSESSMENT AND
  REPORT. (a) At least once every two years, each state agency shall
  conduct an information security assessment of the agency's
  information resources systems, network systems, digital data
  storage systems, digital data security measures, and information
  resources vulnerabilities.
         (b)  Not later than December 1 of the year in which a state
  agency conducts the assessment under Subsection (a), the agency
  shall report the results of the assessment to the department, the
  governor, the lieutenant governor, and the speaker of the house of
  representatives.
         (c)  The department by rule may establish the requirements
  for the information security assessment and report required by this
  section.
         Sec. 2054.516.  DATA SECURITY PLAN FOR ONLINE AND MOBILE
  APPLICATIONS. Each state agency, other than an institution of
  higher education subject to Section 2054.517, implementing an
  Internet website or mobile application that processes any sensitive
  personal information or confidential information must:
               (1)  submit a biennial data security plan to the
  department not later than October 15 of each even-numbered year to
  establish planned beta testing for the website or application; and
               (2)  subject the website or application to a
  vulnerability and penetration test and address any vulnerability
  identified in the test.
         Sec. 2054.517.  DATA SECURITY PROCEDURES FOR ONLINE AND
  MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a) Each
  institution of higher education, as defined by Section 61.003,
  Education Code, shall adopt and implement a policy for Internet
  website and mobile application security procedures that complies
  with this section.
         (b)  Before deploying an Internet website or mobile
  application that processes confidential information for an
  institution of higher education, the developer of the website or
  application for the institution must submit to the institution's
  information security officer the information required under
  policies adopted by the institution to protect the privacy of
  individuals by preserving the confidentiality of information
  processed by the website or application. At a minimum, the
  institution's policies must require the developer to submit
  information describing:
               (1)  the architecture of the website or application;
               (2)  the authentication mechanism for the website or
  application; and
               (3)  the administrator level access to data included in
  the website or application.
         (c)  Before deploying an Internet website or mobile
  application described by Subsection (b), an institution of higher
  education must subject the website or application to a
  vulnerability and penetration test conducted internally or by an
  independent third party.
         (d)  Each institution of higher education shall submit to the
  department the policies adopted as required by Subsection (b). The
  department shall review the policies and make recommendations for
  appropriate changes.
         Sec. 2054.518.  CYBERSECURITY RISKS AND INCIDENTS. (a) The
  department shall develop a plan to address cybersecurity risks and
  incidents in this state. The department may enter into an agreement
  with a national organization, including the National Cybersecurity
  Preparedness Consortium, to support the department's efforts in
  implementing the components of the plan for which the department
  lacks resources to address internally. The agreement may include
  provisions for:
               (1)  providing fee reimbursement for appropriate
  industry-recognized certification examinations for and training to
  state agencies preparing for and responding to cybersecurity risks
  and incidents;
               (2)  developing and maintaining a cybersecurity risks
  and incidents curriculum using existing programs and models for
  training state agencies;
               (3)  delivering to state agency personnel with access
  to state agency networks routine training related to appropriately
  protecting and maintaining information technology systems and
  devices, implementing cybersecurity best practices, and mitigating
  cybersecurity risks and vulnerabilities;
               (4)  providing technical assistance services to
  support preparedness for and response to cybersecurity risks and
  incidents;
               (5)  conducting cybersecurity training and simulation
  exercises for state agencies to encourage coordination in defending
  against and responding to cybersecurity risks and incidents;
               (6)  assisting state agencies in developing
  cybersecurity information-sharing programs to disseminate
  information related to cybersecurity risks and incidents; and
               (7)  incorporating cybersecurity risk and incident
  prevention and response methods into existing state emergency
  plans, including continuity of operation plans and incident
  response plans.
         (b)  In implementing the provisions of the agreement
  prescribed by Subsection (a), the department shall seek to prevent
  unnecessary duplication of existing programs or efforts of the
  department or another state agency.
         (c)  In selecting an organization under Subsection (a), the
  department shall consider the organization's previous experience
  in conducting cybersecurity training and exercises for state
  agencies and political subdivisions.
         (d)  The department shall consult with institutions of
  higher education in this state when appropriate based on an
  institution's expertise in addressing specific cybersecurity risks
  and incidents.
         SECTION 12.  Section 2054.575(a), Government Code, is
  amended to read as follows:
         (a)  A state agency shall, with available funds, identify
  information security issues and develop a plan to prioritize the
  remediation and mitigation of those issues. The agency shall
  include in the plan:
               (1)  procedures for reducing the agency's level of
  exposure with regard to information that alone or in conjunction
  with other information identifies an individual maintained on a
  legacy system of the agency;
               (2)  the best value approach for modernizing,
  replacing, renewing, or disposing of a legacy system that maintains
  information critical to the agency's responsibilities;
               (3)  analysis of the percentage of state agency
  personnel in information technology, cybersecurity, or other
  cyber-related positions who currently hold the appropriate
  industry-recognized certifications as identified by the National
  Initiative for Cybersecurity Education;
               (4)  the level of preparedness of state agency cyber
  personnel and potential personnel who do not hold the appropriate
  industry-recognized certifications to successfully complete the
  industry-recognized certification examinations; and
               (5)  a strategy for mitigating any workforce-related
  discrepancy in information technology, cybersecurity, or other
  cyber-related positions with the appropriate training and
  industry-recognized certifications.
         SECTION 13.  Section 2059.055(b), Government Code, is
  amended to read as follows:
         (b)  Network security information is confidential under this
  section if the information is:
               (1)  related to passwords, personal identification
  numbers, access codes, encryption, or other components of the
  security system of a governmental entity [state agency];
               (2)  collected, assembled, or maintained by or for a
  governmental entity to prevent, detect, or investigate criminal
  activity; or
               (3)  related to an assessment, made by or for a
  governmental entity or maintained by a governmental entity, of the
  vulnerability of a network to criminal activity.
         SECTION 14.  Chapter 276, Election Code, is amended by
  adding Section 276.011 to read as follows:
         Sec. 276.011.  ELECTION CYBER ATTACK STUDY. (a) Not later
  than December 1, 2018, the secretary of state shall:
               (1)  conduct a study regarding cyber attacks on
  election infrastructure;
               (2)  prepare a public summary report on the study's
  findings that does not contain any information the release of which
  may compromise any election;
               (3)  prepare a confidential report on specific findings
  and vulnerabilities that is exempt from disclosure under Chapter
  552, Government Code; and
               (4)  submit to the standing committees of the
  legislature with jurisdiction over election procedures a copy of
  the report required under Subdivision (2) and a general compilation
  of the report required under Subdivision (3) that does not contain
  any information the release of which may compromise any election.
         (b)  The study must include:
               (1)  an investigation of vulnerabilities and risks for
  a cyber attack against a county's voting system machines or the list
  of registered voters;
               (2)  information on any attempted cyber attack on a
  county's voting system machines or the list of registered voters;
  and
               (3)  recommendations for protecting a county's voting
  system machines and list of registered voters from a cyber attack.
         (c)  The secretary of state, using existing resources, may
  contract with a qualified vendor to conduct the study required by
  this section.
         (d)  This section expires January 1, 2019.
         SECTION 15.  (a) The lieutenant governor shall establish a
  Senate Select Committee on Cybersecurity and the speaker of the
  house of representatives shall establish a House Select Committee
  on Cybersecurity to, jointly or separately, study:
               (1)  cybersecurity in this state;
               (2)  the information security plans of each state
  agency; and
               (3)  the risks and vulnerabilities of state agency
  cybersecurity.
         (b)  Not later than November 30, 2017:
               (1)  the lieutenant governor shall appoint five
  senators to the Senate Select Committee on Cybersecurity, one of
  whom shall be designated as chair; and
               (2)  the speaker of the house of representatives shall
  appoint five state representatives to the House Select Committee on
  Cybersecurity, one of whom shall be designated as chair.
         (c)  The committees established under this section shall
  convene separately at the call of the chair of the respective
  committees, or jointly at the call of both chairs. In joint
  meetings, the chairs of each committee shall act as joint chairs.
         (d)  Following consideration of the issues listed in
  Subsection (a) of this section, the committees established under
  this section shall jointly adopt recommendations on state
  cybersecurity and report in writing to the legislature any findings
  and adopted recommendations not later than January 13, 2019.
         (e)  This section expires September 1, 2019.
         SECTION 16.  (a) In this section, "state agency" means a
  board, commission, office, department, council, authority, or
  other agency in the executive or judicial branch of state
  government that is created by the constitution or a statute of this
  state. The term does not include a university system or institution
  of higher education as those terms are defined by Section 61.003,
  Education Code.
         (b)  The Department of Information Resources, in
  consultation with the Texas State Library and Archives Commission,
  shall conduct a study on state agency digital data storage and
  records management practices and the associated costs to this
  state.
         (c)  The study required under this section must examine:
               (1)  the current digital data storage practices of
  state agencies in this state;
               (2)  the costs associated with those digital data
  storage practices;
               (3)  the digital records management and data
  classification policies of state agencies and whether the state
  agencies are consistently complying with the established policies;
               (4)  whether the state agencies are storing digital
  data that exceeds established retention requirements and the cost
  of that unnecessary storage;
               (5)  the adequacy of storage systems used by state
  agencies to securely maintain confidential digital records;
               (6)  possible solutions and improvements recommended
  by the state agencies for reducing state costs and increasing
  security for digital data storage and records management; and
               (7)  the security level and possible benefits of and
  the cost savings from using cloud computing services for agency
  data storage, data classification, and records management.
         (d)  Each state agency shall participate in the study
  required by this section and provide appropriate assistance and
  information to the Department of Information Resources and the
  Texas State Library and Archives Commission.
         (e)  Not later than December 1, 2018, the Department of
  Information Resources shall issue a report on the study required
  under this section and recommendations for reducing state costs and
  for improving efficiency in digital data storage and records
  management to the lieutenant governor, the speaker of the house of
  representatives, and the appropriate standing committees of the
  house of representatives and the senate.
         (f)  This section expires September 1, 2019.
         SECTION 17.  The changes in law made by this Act do not apply
  to the Electric Reliability Council of Texas.
         
         SECTION 18.  This Act takes effect September 1, 2017.
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
 
         I certify that H.B. No. 8 was passed by the House on April 25,
  2017, by the following vote:  Yeas 145, Nays 0, 2 present, not
  voting; and that the House concurred in Senate amendments to H.B.
  No. 8 on May 27, 2017, by the following vote:  Yeas 139, Nays 7, 2
  present, not voting.
 
  ______________________________
  Chief Clerk of the House   
 
         I certify that H.B. No. 8 was passed by the Senate, with
  amendments, on May 24, 2017, by the following vote:  Yeas 31, Nays
  0.
 
  ______________________________
  Secretary of the Senate   
  APPROVED: __________________
                  Date       
   
           __________________
                Governor