HB 150 Introduced

Relating to the establishment of the Texas Cyber Command as a component institution of The University of Texas System and the transfer to it of certain powers and duties of the Department of Information Resources. 

​ 
 

 

A BILL TO BE ENTITLED

 

AN ACT

 

relating to the establishment of the Texas Cyber Command as a

 

component institution of The University of Texas System and the

 

transfer to it of certain powers and duties of the Department of

 

Information Resources.

 

       BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:

 

       SECTION 1.  Subtitle B, Title 10, Government Code, is

 

amended by adding Chapter 2063 to read as follows:

 

CHAPTER 2063. TEXAS CYBER COMMAND

 

SUBCHAPTER A. GENERAL PROVISIONS

 

       Sec. 2063.001.  DEFINITIONS. In this chapter:

 

             (1)  “Chief” means the chief of the Texas Cyber

 

Command.

 

             (2)  “Command” means the Texas Cyber Command

 

established under this chapter.

 

             (3)  “Covered entity” means a private entity operating

 

critical infrastructure or a local government that the command

 

contracts with in order to provide cybersecurity services under

 

this chapter.

 

             (4)  “Critical infrastructure” means infrastructure in

 

this state vital to the security, governance, public health and

 

safety, economy, or morale of the state or the nation, including:

 

                   (A)  chemical facilities;

 

                   (B)  commercial facilities;

 

                   (C)  communication facilities;

 

                   (D)  manufacturing facilities;

 

                   (E)  dams;

 

                   (F)  defense industrial bases;

 

                   (G)  emergency services systems;

 

                   (H)  energy facilities;

 

                   (I)  financial services systems;

 

                   (J)  food and agriculture facilities;

 

                   (K)  government facilities;

 

                   (L)  health care and public health facilities;

 

                   (M)  information technology and information

 

technology systems;

 

                   (N)  nuclear reactors, materials, and waste;

 

                   (O)  transportation systems; or

 

                   (P)  water and wastewater systems.

 

             (5)  “Cybersecurity” means the measures taken to

 

protect a computer, computer network, computer system, or other

 

technology infrastructure against unauthorized:

 

                   (A)  use, access, disruption, modification, or

 

destruction; or

 

                   (B)  disclosure, modification, or destruction of

 

information.

 

             (6)  “Cybersecurity incident” includes:

 

                   (A)  a breach or suspected breach of system

 

security as defined by Section 521.053, Business & Commerce Code;

 

                   (B)  the introduction of ransomware, as defined by

 

Section 33.023, Penal Code, into a computer, computer network, or

 

computer system; or

 

                   (C)  any other cybersecurity-related occurrence

 

that jeopardizes information or an information system designated by

 

command policy adopted under this chapter.

 

             (7)  “Department” means the Department of Information

 

Resources.

 

             (8)  “Governmental entity” means this state, a state

 

agency, or a local government.

 

             (9)  “Information resources” has the meaning assigned

 

by Section 2054.003, Government Code.

 

             (10)  “Information resources technologies” has the

 

meaning assigned by Section 2054.003.

 

             (11)  “Local government” has the meaning assigned by

 

Section 2054.003.

 

             (12)  “Sensitive personal information” has the meaning

 

assigned by Section 521.002, Business & Commerce Code.

 

             (13)  “State agency” means:

 

                   (A)  a department, commission, board, office, or

 

other agency that is in the executive or legislative branch of state

 

government and that was created by the constitution or a statute;

 

                   (B)  the supreme court, the court of criminal

 

appeals, a court of appeals, a district court, or the Texas Judicial

 

Council or another agency in the judicial branch of state

 

government; or

 

                   (C)  a university system or an institution of

 

higher education as defined by Section 61.003, Education Code.

 

       Sec. 2063.002.  ORGANIZATION. (a) The Texas Cyber Command

 

is a component of The University of Texas System and

 

administratively attached to The University of Texas at San

 

Antonio.

 

       (b)  The command is managed by a chief appointed by the

 

governor and confirmed with the advice and consent of the senate.  

 

The chief serves at the pleasure of the governor and must possess

 

professional training and knowledge relevant to the functions and

 

duties of the command.

 

       (c)  The command shall employ other coordinating and

 

planning officers and other personnel necessary to the performance

 

of its functions.

 

       (d)  Under an agreement with the command, The University of

 

Texas at San Antonio shall provide administrative support services

 

for the command as necessary to carry out the purposes of this

 

chapter.

 

       Sec. 2063.003.  ESTABLISHMENT AND PURPOSE. (a) The command

 

is established to prevent and respond to cybersecurity incidents

 

that affect governmental entities and critical infrastructure in

 

this state.

 

       (b)  The command is responsible for cybersecurity for this

 

state, including:

 

             (1)  developing tools to enhance cybersecurity

 

defenses;

 

             (2)  facilitating education and training of a

 

cybersecurity workforce;

 

             (3)  in collaboration with the department,

 

establishing appropriate cybersecurity standards; and

 

             (4)  creating partnerships needed to effectively carry

 

out the command’s functions.

 

       Sec. 2063.004.  GENERAL POWERS AND DUTIES. (a) The command

 

shall:

 

             (1)  promote public awareness of cybersecurity issues;

 

             (2)  develop cybersecurity best practices and minimum

 

standards for governmental entities;

 

             (3)  develop and provide training to state agencies and

 

covered entities on cybersecurity measures and awareness;

 

             (4)  administer the cybersecurity threat intelligence

 

center under Section 2063.201;

 

             (5)  provide support to state agencies and covered

 

entities experiencing a cybersecurity incident;

 

             (6)  administer the digital forensics laboratory under

 

Section 2063.203;

 

             (7)  administer a statewide portal for enterprise

 

cybersecurity threat, risk, and incident management, and operate a

 

cybersecurity hotline available for state agencies and covered

 

entities 24 hours a day, seven days a week;

 

             (8)  collaborate with law enforcement agencies to

 

provide training and support related to cybersecurity incidents;

 

             (9)  serve as a clearinghouse for information relating

 

to all aspects of protecting the cybersecurity of governmental

 

entities, including sharing appropriate intelligence and

 

information with governmental entities, federal agencies, and

 

covered entities;

 

             (10)  collaborate with the department to ensure

 

information resources and information resources technologies

 

obtained by the department meet the cybersecurity standards and

 

requirements established under this chapter;

 

             (11)  offer cybersecurity resources to state agencies

 

and covered entities as determined by the command; and

 

             (12)  adopt policies to ensure state agencies implement

 

sufficient cybersecurity measures to defend information resources,

 

information resources technologies, and sensitive personal

 

information maintained by the agencies.

 

       (b)  The command may:

 

             (1)  adopt and enforce policies necessary to carry out

 

this chapter;

 

             (2)  adopt and use an official seal;

 

             (3)  establish ad hoc advisory committees as necessary

 

to carry out the command’s duties under this chapter;

 

             (4)  acquire and convey property or an interest in

 

property;

 

             (5)  procure insurance and pay premiums on insurance of

 

any type, in accounts, and from insurers as the command considers

 

necessary and advisable to accomplish any of the command’s duties;

 

and

 

             (6)  hold patents, copyrights, trademarks, or other

 

evidence of protection or exclusivity issued under the laws of the

 

United States, any state, or any nation and may enter into license

 

agreements with any third parties for the receipt of fees,

 

royalties, or other monetary or nonmonetary value.

 

       (c)  Except as otherwise provided by this chapter, the

 

command shall deposit money paid to the command under this chapter

 

in the state treasury to the credit of the general revenue fund.

 

       Sec. 2063.005.  COST RECOVERY. The command shall recover

 

the cost of providing direct technical assistance, training

 

services, and other services to covered entities when reasonable

 

and practical.

 

       Sec. 2063.007.  EMERGENCY PURCHASING. In the event the

 

emergency response to a cybersecurity incident requires the command

 

to purchase an item, the command is exempt from the requirements of

 

Sections 2155.0755, 2155.083, and 2155.132(c) in making the

 

purchase.

 

       Sec. 2063.008.  RULES. The governor may adopt rules

 

necessary for carrying out the purposes of this chapter.

 

       Sec. 2063.009.  APPLICATION OF SUNSET ACT. The command is

 

subject to Chapter 325 (Texas Sunset Act). Unless continued in

 

existence as provided by that chapter, the command is abolished

 

September 1, 2035.

 

SUBCHAPTER B. MINIMUM STANDARDS AND TRAINING

 

       Sec. 2063.101.  BEST PRACTICES AND MINIMUM STANDARDS FOR

 

CYBERSECURITY AND TRAINING. (a) The command shall develop and

 

annually assess best practices and minimum standards for use by

 

governmental entities to enhance the security of information

 

resources in this state.

 

       (b)  The command shall establish and periodically assess

 

mandatory cybersecurity training that must be completed by all

 

information resources employees of state agencies. The command

 

shall consult with the Information Technology Council for Higher

 

Education established under Section 2054.121 regarding applying

 

the training requirements to employees of institutions of higher

 

education.

 

       (c)  The command shall adopt policies to ensure governmental

 

entities are complying with the requirements of this section.

 

SUBCHAPTER C.  CYBERSECURITY PREVENTION, RESPONSE, AND RECOVERY

 

       Sec. 2063.201.  CYBERSECURITY THREAT INTELLIGENCE CENTER.

 

(a) In this section, “center” means the cybersecurity threat

 

intelligence center established under this section.

 

       (b)  The command shall establish a cybersecurity threat

 

intelligence center.  The center, in coordination with the

 

department, shall:

 

             (1)  operate the information sharing and analysis

 

organization established under Section 2063.204; and

 

             (2)  use regional security operations centers

 

established under Subchapter G and the cybersecurity incident

 

response unit under Section 2063.202 to assist governmental

 

entities in responding to a cybersecurity incident.

 

       (c)  The chief may employ a director for the center.

 

       Sec. 2063.202.  CYBERSECURITY INCIDENT RESPONSE UNIT. (a)

 

The command shall establish a dedicated cybersecurity incident

 

response unit to:

 

             (1)  detect and contain cybersecurity incidents in

 

collaboration with the cybersecurity threat intelligence center

 

under Section 2063.201;

 

             (2)  engage in threat neutralization, including

 

removing malware, disallowing unauthorized access, and patching

 

vulnerabilities in information resources technologies;

 

             (3)  in collaboration with the digital forensics

 

laboratory under Section 2063.203, undertake mitigation efforts if

 

sensitive personal information is breached during a cybersecurity

 

incident;

 

             (4)  loan resources to state agencies and covered

 

entities to promote continuity of operations while the agency or

 

entity restores the systems affected by a cybersecurity incident;

 

             (5)  assist in the restoration of information resources

 

and information resources technologies after a cybersecurity

 

incident and conduct post-incident monitoring;

 

             (6)  in collaboration with the cybersecurity threat

 

intelligence center under Section 2063.201 and digital forensics

 

laboratory under Section 2063.203, identify weaknesses, establish

 

risk mitigation options and effective vulnerability-reduction

 

strategies, and make recommendations to state agencies and covered

 

entities that have been the target of a cybersecurity attack or have

 

experienced a cybersecurity incident in order to remediate

 

identified cybersecurity vulnerabilities;

 

             (7)  in collaboration with the cybersecurity threat

 

intelligence center under Section 2063.201, the digital forensics

 

laboratory under Section 2063.203, the Texas Division of Emergency

 

Management, and other state agencies, conduct, support, and

 

participate in cyber-related exercises; and

 

             (8)  undertake any other activities necessary to carry

 

out the duties described by this subsection.

 

       (b)  The chief shall employ a director for the cybersecurity

 

incident response unit.

 

       Sec. 2063.203.  DIGITAL FORENSICS LABORATORY. (a) The

 

command shall establish a digital forensics laboratory to:

 

             (1)  in collaboration with the cybersecurity incident

 

response unit under Section 2063.202, develop procedures to:

 

                   (A)  preserve evidence of a cybersecurity

 

incident, including logs and communication;

 

                   (B)  document chains of custody; and

 

                   (C)  timely notify and maintain contact with the

 

appropriate law enforcement agencies investigating a cybersecurity

 

incident;

 

             (2)  develop and share with relevant state agencies and

 

covered entities cyber threat hunting tools and procedures to

 

assist in identifying indicators of a compromise in the

 

cybersecurity of state information systems and non-state

 

information systems, as appropriate, for proactive discovery of

 

latent intrusions;

 

             (3)  conduct analyses of causes of cybersecurity

 

incidents and of remediation options;

 

             (4)  conduct assessments of the scope of harm caused by

 

cybersecurity incidents, including data loss, compromised systems,

 

and system disruptions;

 

             (5)  provide information and training to state agencies

 

and covered entities on producing reports required by regulatory

 

and auditing bodies;

 

             (6)  in collaboration with the Department of Public

 

Safety, the Texas Military Department, the office of the attorney

 

general, and other state agencies, provide forensic analysis of a

 

cybersecurity incident to support an investigation, attribution

 

process, or other law enforcement or judicial action; and

 

             (7)  undertake any other activities necessary to carry

 

out the duties described by this subsection.

 

       (b)  The chief shall employ a director for the digital

 

forensics laboratory.

 

       Sec. 2063.205.  POLICIES. The command shall adopt policies

 

and procedures necessary to enable the entities established in this

 

subchapter to carry out their respective duties and purposes.

 

SUBCHAPTER E. CYBERSECURITY PREPARATION AND PLANNING

 

       Sec. 2063.404.  ONGOING INFORMATION TRANSMISSIONS.

 

Information received from state agencies by the department under

 

Section 2054.069 shall be transmitted by the department to the

 

command on an ongoing basis.

 

       SECTION 2.  Section 2054.510, Government Code, is

 

transferred to Subchapter A, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.0025, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.0025 [2054.510].  COMMAND CHIEF [INFORMATION

 

SECURITY OFFICER]. (a)  In this section, “state cybersecurity

 

[information security] program” means the policies, standards,

 

procedures, elements, structure, strategies, objectives, plans,

 

metrics, reports, services, and resources that establish the

 

cybersecurity [information resources security] function for this

 

state.

 

       (b)  The chief directs the day-to-day operations and

 

policies of the command and oversees and is responsible for all

 

functions and duties of the command.  [The executive director,

 

using existing funds, shall employ a chief information security

 

officer.]

 

       (c)  The chief [information security officer] shall oversee

 

cybersecurity matters for this state including:

 

             (1)  implementing the duties described by Section

 

2063.004 [2054.059];

 

             (2)  [responding to reports received under Section

 

2054.1125;

 

             [(3)]  developing a statewide cybersecurity

 

[information security] framework;

 

             (3) [(4)]  overseeing the development of cybersecurity

 

[statewide information security] policies and standards;

 

             (4) [(5)]  collaborating with [state agencies, local]

 

governmental entities[,] and other entities operating or

 

exercising control over state information systems or

 

state-controlled data critical to strengthen this state’s

 

cybersecurity and information security policies, standards, and

 

guidelines;

 

             (5) [(6)]  overseeing the implementation of the

 

policies, standards, and requirements [guidelines] developed under

 

this chapter [Subdivisions (3) and (4)];

 

             (6) [(7)]  providing cybersecurity [information

 

security] leadership, strategic direction, and coordination for

 

the state cybersecurity [information security] program;

 

             (7) [(8)]  providing strategic direction to:

 

                   (A)  the network security center established

 

under Section 2059.101; and

 

                   (B)  regional security operations [statewide

 

technology] centers operated under Subchapter G [L]; and

 

             (8) [(9)]  overseeing the preparation and submission

 

of the report described by Section 2063.301 [2054.0591].

 

       SECTION 3.  Section 2054.0592, Government Code, is

 

transferred to Subchapter A, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.006, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.006 [2054.0592].  CYBERSECURITY EMERGENCY

 

FUNDING. If a cybersecurity event creates a need for emergency

 

funding, the command [department] may request that the governor or

 

Legislative Budget Board make a proposal under Chapter 317 to

 

provide funding to manage the operational and financial impacts

 

from the cybersecurity event.

 

       SECTION 4.  Section 2054.519, Government Code, is

 

transferred to Subchapter B, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.102, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.102 [2054.519].  STATE CERTIFIED CYBERSECURITY

 

TRAINING PROGRAMS. (a) The command [department], in consultation

 

with the cybersecurity council established under Section 2063.406

 

[2054.512] and industry stakeholders, shall annually:

 

             (1)  certify at least five cybersecurity training

 

programs for state and local government employees; and

 

             (2)  update standards for maintenance of certification

 

by the cybersecurity training programs under this section.

 

       (b)  To be certified under Subsection (a), a cybersecurity

 

training program must:

 

             (1)  focus on forming appropriate cybersecurity

 

[information security] habits and procedures that protect

 

information resources; and

 

             (2)  teach best practices and minimum standards

 

established under this subchapter [for detecting, assessing,

 

reporting, and addressing information security threats].

 

       (c)  The command [department] may identify and certify under

 

Subsection (a) training programs provided by state agencies and

 

local governments that satisfy the training requirements described

 

by Subsection (b).

 

       (d)  The command [department] may contract with an

 

independent third party to certify cybersecurity training programs

 

under this section.

 

       (e)  The command [department] shall annually publish on the

 

command’s [department’s] Internet website the list of cybersecurity

 

training programs certified under this section.

 

       SECTION 5.  Section 2054.5191, Government Code, is

 

transferred to Subchapter B, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.103, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.103 [2054.5191].  CYBERSECURITY TRAINING REQUIRED

 

[: CERTAIN EMPLOYEES AND OFFICIALS].  (a)  Each elected or appointed

 

official and employee of a governmental entity who has access to the

 

entity’s information resources or information resources

 

technologies [state agency shall identify state employees who use a

 

computer to complete at least 25 percent of the employee’s required

 

duties.  At least once each year, an employee identified by the

 

state agency and each elected or appointed officer of the agency]

 

shall annually complete a cybersecurity training program certified

 

under Section 2063.102 [2054.519].

 

       (b)  [(a-1)  At least once each year, a local government

 

shall:

 

             [(1)  identify local government employees and elected

 

and appointed officials who have access to a local government

 

computer system or database and use a computer to perform at least

 

25 percent of the employee’s or official’s required duties; and

 

             [(2)  require the employees and officials identified

 

under Subdivision (1) to complete a cybersecurity training program

 

certified under Section 2054.519.

 

       [(a-2)]  The governing body of a governmental entity [local

 

government] or the governing body’s designee may deny access to the

 

governmental entity’s information resources or information

 

resources technologies [local government’s computer system or

 

database] to an employee or official [individual described by

 

Subsection (a-1)(1)] who [the governing body or the governing

 

body’s designee determines] is noncompliant with the requirements

 

of Subsection (a) [(a-1)(2)].

 

       (c) [(b)]  The governing body of a local government may

 

select the most appropriate cybersecurity training program

 

certified under Section 2063.102 [2054.519] for employees and

 

officials of the local government to complete.  The governing body

 

shall:

 

             (1)  verify and report on the completion of a

 

cybersecurity training program by employees and officials of the

 

local government to the command [department]; and

 

             (2)  require periodic audits to ensure compliance with

 

this section.

 

       (d) [(c)]  A state agency may select the most appropriate

 

cybersecurity training program certified under Section 2063.102

 

[2054.519] for employees and officials of the state agency.  The

 

executive head of each state agency shall verify completion of a

 

cybersecurity training program by employees and officials of the

 

state agency in a manner specified by the command [department].

 

       (e) [(d)]  The executive head of each state agency shall

 

periodically require an internal review of the agency to ensure

 

compliance with this section.

 

       (f) [(e)]  The command [department] shall develop a form for

 

use by governmental entities [state agencies and local governments]

 

in verifying completion of cybersecurity training program

 

requirements under this section.  The form must allow the state

 

agency and local government to indicate the percentage of employee

 

and official completion.

 

       (g) [(f)]  The requirements of Subsection [Subsections] (a)

 

[and (a-1)] do not apply to employees and officials who have been:

 

             (1)  granted military leave;

 

             (2)  granted leave under the federal Family and Medical

 

Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);

 

             (3)  granted leave related to a sickness or disability

 

covered by workers’ compensation benefits, if that employee or

 

official no longer has access to the governmental entity’s

 

information resources or information resources technologies [state

 

agency’s or local government’s database and systems];

 

             (4)  granted any other type of extended leave or

 

authorization to work from an alternative work site if that

 

employee or official no longer has access to the governmental

 

entity’s information resources or information resources

 

technologies [state agency’s or local government’s database and

 

systems]; or

 

             (5)  denied access to a governmental entity’s

 

information resources or information resources technologies [local

 

government’s computer system or database by the governing body of

 

the local government or the governing body’s designee] under

 

Subsection (b) [(a-2)] for noncompliance with the requirements of

 

Subsection (a) [(a-1)(2)].

 

       SECTION 6.  Section 2054.5192, Government Code, is

 

transferred to Subchapter B, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.104, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.104  [2054.5192].  CYBERSECURITY TRAINING

 

REQUIRED: CERTAIN STATE CONTRACTORS.  (a)  In this section,

 

“contractor” includes a subcontractor, officer, or employee of the

 

contractor.

 

       (b)  A state agency shall require any contractor who has

 

access to a state computer system or database to complete a

 

cybersecurity training program certified under Section 2063.102

 

[2054.519] as selected by the agency.

 

       (c)  The cybersecurity training program must be completed by

 

a contractor during the term of the contract and during any renewal

 

period.

 

       (d)  Required completion of a cybersecurity training program

 

must be included in the terms of a contract awarded by a state

 

agency to a contractor.

 

       (e)  A contractor required to complete a cybersecurity

 

training program under this section shall verify completion of the

 

program to the contracting state agency.  The person who oversees

 

contract management for the agency shall:

 

             (1)  not later than August 31 of each year, report the

 

contractor’s completion to the command [department]; and

 

             (2)  periodically review agency contracts to ensure

 

compliance with this section.

 

       SECTION 7.  Section 2054.0594, Government Code, is

 

transferred to Subchapter C, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.204, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.204  [2054.0594].  INFORMATION SHARING AND

 

ANALYSIS ORGANIZATION. (a)  The command [department] shall

 

establish an information sharing and analysis organization to

 

provide a forum for state agencies, local governments, public and

 

private institutions of higher education, and the private sector to

 

share information regarding cybersecurity threats, best practices,

 

and remediation strategies.

 

       (b)  [The department shall provide administrative support to

 

the information sharing and analysis organization.

 

       [(c)]  A participant in the information sharing and analysis

 

organization shall assert any exception available under state or

 

federal law, including Section 552.139, in response to a request

 

for public disclosure of information shared through the

 

organization.  Section 552.007 does not apply to information

 

described by this subsection.

 

       (c) [(d)]  The command [department] shall establish a

 

framework for regional cybersecurity task forces [working groups]

 

to execute mutual aid agreements that allow state agencies, local

 

governments, regional planning commissions, public and private

 

institutions of higher education, the private sector, the regional

 

security operations centers under Subchapter G, and the

 

cybersecurity incident response unit under Section 2063.202 [and

 

the incident response team established under Subchapter N-2] to

 

assist with responding to a cybersecurity incident [event] in this

 

state.  A task force [working group] may be established within the

 

geographic area of a regional planning commission established under

 

Chapter 391, Local Government Code.  The task force [working group]

 

may establish a list of available cybersecurity experts and share

 

resources to assist in responding to the cybersecurity incident

 

[event] and recovery from the incident [event].

 

       SECTION 8.  Chapter 2063, Government Code, as added by this

 

Act, is amended by adding Subchapter D, and a heading is added to

 

that subchapter to read as follows:

 

SUBCHAPTER D.  REPORTING

 

       SECTION 9.  Sections 2054.0591 and 2054.077, Government

 

Code, are transferred to Subchapter D, Chapter 2063, Government

 

Code, as added by this Act, redesignated as Sections 2063.301 and

 

2063.302, Government Code, respectively, and amended to read as

 

follows:

 

       Sec. 2063.301  [2054.0591].  CYBERSECURITY REPORT.  (a)  Not

 

later than November 15 of each even-numbered year, the command

 

[department] shall submit to the governor, the lieutenant governor,

 

the speaker of the house of representatives, and the standing

 

committee of each house of the legislature with primary

 

jurisdiction over state government operations a report identifying

 

preventive and recovery efforts the state can undertake to improve

 

cybersecurity in this state.  The report must include:

 

             (1)  an assessment of the resources available to

 

address the operational and financial impacts of a cybersecurity

 

event;

 

             (2)  a review of existing statutes regarding

 

cybersecurity and information resources technologies; and

 

             (3)  recommendations for legislative action to

 

increase the state’s cybersecurity and protect against adverse

 

impacts from a cybersecurity incident [event; and

 

             [(4)  an evaluation of a program that provides an

 

information security officer to assist small state agencies and

 

local governments that are unable to justify hiring a full-time

 

information security officer].

 

       (b)  Not later than October 1 of each even-numbered year, the

 

command shall submit a report to the Legislative Budget Board that

 

prioritizes, for the purpose of receiving funding, state agency

 

cybersecurity projects. Each state agency shall coordinate with the

 

command to implement this subsection.

 

       (c) [(b)]  The command [department] or a recipient of a

 

report under this section may redact or withhold information

 

confidential under Chapter 552, including Section 552.139, or other

 

state or federal law that is contained in the report in response to

 

a request under Chapter 552 without the necessity of requesting a

 

decision from the attorney general under Subchapter G, Chapter 552.

 

The disclosure of information under this section is not a voluntary

 

disclosure for purposes of Section 552.007.

 

       Sec. 2063.302  [2054.077].  VULNERABILITY REPORTS.  (a)  In

 

this section, a term defined by Section 33.01, Penal Code, has the

 

meaning assigned by that section.

 

       (b)  The information security officer of a state agency shall

 

prepare or have prepared a report, including an executive summary

 

of the findings of the biennial report, not later than June 1 of

 

each even-numbered year, assessing the extent to which a computer,

 

a computer program, a computer network, a computer system, a

 

printer, an interface to a computer system, including mobile and

 

peripheral devices, computer software, or data processing of the

 

agency or of a contractor of the agency is vulnerable to

 

unauthorized access or harm, including the extent to which the

 

agency’s or contractor’s electronically stored information is

 

vulnerable to alteration, damage, erasure, or inappropriate use.

 

       (c)  Except as provided by this section, a vulnerability

 

report and any information or communication prepared or maintained

 

for use in the preparation of a vulnerability report is

 

confidential and is not subject to disclosure under Chapter 552.

 

       (d)  The information security officer shall provide an

 

electronic copy of the vulnerability report on its completion to:

 

             (1)  the command [department];

 

             (2)  the state auditor;

 

             (3)  the agency’s executive director;

 

             (4)  the agency’s designated information resources

 

manager; and

 

             (5)  any other information technology security

 

oversight group specifically authorized by the legislature to

 

receive the report.

 

       (e)  Separate from the executive summary described by

 

Subsection (b), a state agency shall prepare a summary of the

 

agency’s vulnerability report that does not contain any information

 

the release of which might compromise the security of the state

 

agency’s or state agency contractor’s computers, computer programs,

 

computer networks, computer systems, printers, interfaces to

 

computer systems, including mobile and peripheral devices,

 

computer software, data processing, or electronically stored

 

information.  [The summary is available to the public on request.]

 

       SECTION 10.  Section 2054.136, Government Code, is

 

transferred to Subchapter E, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.401, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.401  [2054.136].  DESIGNATED INFORMATION SECURITY

 

OFFICER.  Each state agency shall designate an information security

 

officer who:

 

             (1)  reports to the agency’s executive-level

 

management;

 

             (2)  has authority over information security for the

 

entire agency;

 

             (3)  possesses the training and experience required to

 

ensure the agency complies with requirements and policies

 

established by the command [perform the duties required by

 

department rules]; and

 

             (4)  to the extent feasible, has information security

 

duties as the officer’s primary duties.

 

       SECTION 11.  Section 2054.518, Government Code, is

 

transferred to Subchapter E, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.402, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.402  [2054.518].  CYBERSECURITY RISKS AND

 

INCIDENTS.  (a)  The command [department] shall develop a plan to

 

address cybersecurity risks and incidents in this state.  The

 

command [department] may enter into an agreement with a national

 

organization, including the National Cybersecurity Preparedness

 

Consortium, to support the command’s [department’s] efforts in

 

implementing the components of the plan for which the command

 

[department] lacks resources to address internally.  The agreement

 

may include provisions for:

 

             (1)  providing technical assistance services to

 

support preparedness for and response to cybersecurity risks and

 

incidents;

 

             (2)  conducting cybersecurity simulation exercises for

 

state agencies to encourage coordination in defending against and

 

responding to cybersecurity risks and incidents;

 

             (3)  assisting state agencies in developing

 

cybersecurity information-sharing programs to disseminate

 

information related to cybersecurity risks and incidents; and

 

             (4)  incorporating cybersecurity risk and incident

 

prevention and response methods into existing state emergency

 

plans, including continuity of operation plans and incident

 

response plans.

 

       (b)  In implementing the provisions of the agreement

 

prescribed by Subsection (a), the command [department] shall seek

 

to prevent unnecessary duplication of existing programs or efforts

 

of the command [department] or another state agency.

 

       (c) [(d)]  The command [department] shall consult with

 

institutions of higher education in this state when appropriate

 

based on an institution’s expertise in addressing specific

 

cybersecurity risks and incidents.

 

       SECTION 12.  Section 2054.133, Government Code, is

 

transferred to Subchapter E, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.403, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.403  [2054.133].  INFORMATION SECURITY PLAN.  (a)  

 

Each state agency shall develop, and periodically update, an

 

information security plan for protecting the security of the

 

agency’s information.

 

       (b)  In developing the plan, the state agency shall:

 

             (1)  consider any vulnerability report prepared under

 

Section 2063.302 [2054.077] for the agency;

 

             (2)  incorporate the network security services

 

provided by the department to the agency under Chapter 2059;

 

             (3)  identify and define the responsibilities of agency

 

staff who produce, access, use, or serve as custodians of the

 

agency’s information;

 

             (4)  identify risk management and other measures taken

 

to protect the agency’s information from unauthorized access,

 

disclosure, modification, or destruction;

 

             (5)  include:

 

                   (A)  the best practices for information security

 

developed by the command [department]; or

 

                   (B)  if best practices are not applied, a written

 

explanation of why the best practices are not sufficient for the

 

agency’s security; and

 

             (6)  omit from any written copies of the plan

 

information that could expose vulnerabilities in the agency’s

 

network or online systems.

 

       (c)  Not later than June 1 of each even-numbered year, each

 

state agency shall submit a copy of the agency’s information

 

security plan to the command [department].  Subject to available

 

resources, the command [department] may select a portion of the

 

submitted security plans to be assessed by the command [department]

 

in accordance with command policies [department rules].

 

       (d)  Each state agency’s information security plan is

 

confidential and exempt from disclosure under Chapter 552.

 

       (e)  Each state agency shall include in the agency’s

 

information security plan a written document that is signed by the

 

head of the agency, the chief financial officer, and each executive

 

manager designated by the state agency and states that those

 

persons have been made aware of the risks revealed during the

 

preparation of the agency’s information security plan.

 

       (f)  Not later than November 15 of each even-numbered year,

 

the command [department] shall submit a written report to the

 

governor, the lieutenant governor, the speaker of the house of

 

representatives, and each standing committee of the legislature

 

with primary jurisdiction over matters related to the command

 

[department] evaluating information security for this state’s

 

information resources.  In preparing the report, the command

 

[department] shall consider the information security plans

 

submitted by state agencies under this section, any vulnerability

 

reports submitted under Section 2063.302 [2054.077], and other

 

available information regarding the security of this state’s

 

information resources.  The command [department] shall omit from

 

any written copies of the report information that could expose

 

specific vulnerabilities [in the security of this state’s

 

information resources].

 

       SECTION 13.  Section 2054.516, Government Code, is

 

transferred to Subchapter E, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.405, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.405  [2054.516].  DATA SECURITY PLAN FOR ONLINE

 

AND MOBILE APPLICATIONS.  (a)  Each state agency implementing an

 

Internet website or mobile application that processes any sensitive

 

personal or personally identifiable information or confidential

 

information must:

 

             (1)  submit a biennial data security plan to the

 

command [department] not later than June 1 of each even-numbered

 

year to establish planned beta testing for the website or

 

application; and

 

             (2)  subject the website or application to a

 

vulnerability and penetration test and address any vulnerability

 

identified in the test.

 

       (b)  The command [department] shall review each data

 

security plan submitted under Subsection (a) and make any

 

recommendations for changes to the plan to the state agency as soon

 

as practicable after the command [department] reviews the plan.

 

       SECTION 14.  Section 2054.512, Government Code, is

 

transferred to Subchapter E, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.406, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.406  [2054.512].  CYBERSECURITY COUNCIL.  (a)  The

 

chief or the chief’s designee [state cybersecurity coordinator]

 

shall [establish and] lead a cybersecurity council that includes

 

public and private sector leaders and cybersecurity practitioners

 

to collaborate on matters of cybersecurity concerning this state.

 

       (b)  The cybersecurity council must include:

 

             (1)  one member who is an employee of the office of the

 

governor;

 

             (2)  one member of the senate appointed by the

 

lieutenant governor;

 

             (3)  one member of the house of representatives

 

appointed by the speaker of the house of representatives;

 

             (4)  one member who is an employee of the Elections

 

Division of the Office of the Secretary of State; [and]

 

             (5)  one member who is an employee of the department;

 

and

 

             (6)  additional members appointed by the chief [state

 

cybersecurity coordinator], including representatives of

 

institutions of higher education and private sector leaders.

 

       (c)  Members of the cybersecurity council serve staggered

 

six-year terms, with as near as possible to one-third of the

 

members’ terms expiring February 1 of each odd-numbered year.

 

       (d)  In appointing representatives from institutions of

 

higher education to the cybersecurity council, the chief [state

 

cybersecurity coordinator] shall consider appointing members of

 

the Information Technology Council for Higher Education.

 

       (e) [(d)]  The cybersecurity council shall:

 

             (1)  consider the costs and benefits of establishing a

 

computer emergency readiness team to address cybersecurity

 

incidents [cyber attacks] occurring in this state during routine

 

and emergency situations;

 

             (2)  establish criteria and priorities for addressing

 

cybersecurity threats to critical state installations;

 

             (3)  consolidate and synthesize best practices to

 

assist state agencies in understanding and implementing

 

cybersecurity measures that are most beneficial to this state; and

 

             (4)  assess the knowledge, skills, and capabilities of

 

the existing information technology and cybersecurity workforce to

 

mitigate and respond to cyber threats and develop recommendations

 

for addressing immediate workforce deficiencies and ensuring a

 

long-term pool of qualified applicants.

 

       (f) [(e)]  The chief, in collaboration with the

 

cybersecurity council, shall provide recommendations to the

 

legislature on any legislation necessary to implement

 

cybersecurity best practices and remediation strategies for this

 

state.

 

       SECTION 15.  Section 2054.514, Government Code, is

 

transferred to Subchapter E, Chapter 2063, Government Code, as

 

added by this Act, redesignated as Section 2063.407, Government

 

Code, and amended to read as follows:

 

       Sec. 2063.407  [2054.514].  RECOMMENDATIONS.  The chief

 

[state cybersecurity coordinator] may implement any portion, or all

 

of the recommendations made by the cybersecurity council under

 

Section 2063.406 [Cybersecurity, Education, and Economic

 

Development Council under Subchapter N].

 

       SECTION 16.  Subchapter N-2, Chapter 2054, Government Code,

 

is transferred to Chapter 2063, Government Code, as added by this

 

Act, redesignated as Subchapter F, Chapter 2063, Government Code,

 

and amended to read as follows:

 

SUBCHAPTER F [N-2].  TEXAS VOLUNTEER INCIDENT RESPONSE TEAM

 

       Sec. 2063.501  [2054.52001].  DEFINITIONS.  In this

 

subchapter:

 

             (1)  “Incident response team” means the Texas volunteer

 

incident response team established under Section 2063.502

 

[2054.52002].

 

             (2)  “Participating entity” means a state agency,

 

including an institution of higher education, or a local government

 

that receives assistance under this subchapter during a

 

cybersecurity incident [event].

 

             (3)  “Volunteer” means an individual who provides rapid

 

response assistance during a cybersecurity incident [event] under

 

this subchapter.

 

       Sec. 2063.502 [2054.52002].  ESTABLISHMENT OF TEXAS

 

VOLUNTEER INCIDENT RESPONSE TEAM.  (a)  The command [department]

 

shall establish the Texas volunteer incident response team to

 

provide rapid response assistance to a participating entity under

 

the command’s [department’s] direction during a cybersecurity

 

incident [event].

 

       (b)  The command [department] shall prescribe eligibility

 

criteria for participation as a volunteer member of the incident

 

response team, including a requirement that each volunteer have

 

expertise in addressing cybersecurity incidents [events].

 

       Sec. 2063.503 [2054.52003].  CONTRACT WITH VOLUNTEERS.  The

 

command [department] shall enter into a contract with each

 

volunteer the command [department] approves to provide rapid

 

response assistance under this subchapter.  The contract must

 

require the volunteer to:

 

             (1)  acknowledge the confidentiality of information

 

required by Section 2063.510 [2054.52010];

 

             (2)  protect all confidential information from

 

disclosure;

 

             (3)  avoid conflicts of interest that might arise in a

 

deployment under this subchapter;

 

             (4)  comply with command [department] security

 

policies and procedures regarding information resources

 

technologies;

 

             (5)  consent to background screening required by the

 

command [department]; and

 

             (6)  attest to the volunteer’s satisfaction of any

 

eligibility criteria established by the command [department].

 

       Sec. 2063.504 [2054.52004].  VOLUNTEER QUALIFICATION.  (a)  

 

The command [department] shall require criminal history record

 

information for each individual who accepts an invitation to become

 

a volunteer.

 

       (b)  The command [department] may request other information

 

relevant to the individual’s qualification and fitness to serve as

 

a volunteer.

 

       (c)  The command [department] has sole discretion to

 

determine whether an individual is qualified to serve as a

 

volunteer.

 

       Sec. 2063.505  [2054.52005].  DEPLOYMENT.  (a)  In response

 

to a cybersecurity incident [event] that affects multiple

 

participating entities or a declaration by the governor of a state

 

of disaster caused by a cybersecurity event, the command

 

[department] on request of a participating entity may deploy

 

volunteers and provide rapid response assistance under the

 

command’s [department’s] direction and the managed security

 

services framework established under Section 2063.204(c)

 

[2054.0594(d)] to assist with the incident [event].

 

       (b)  A volunteer may only accept a deployment under this

 

subchapter in writing.  A volunteer may decline to accept a

 

deployment for any reason.

 

       Sec. 2063.506 [2054.52006].  CYBERSECURITY COUNCIL

 

DUTIES.  The cybersecurity council established under Section

 

2063.406 [2054.512] shall review and make recommendations to the

 

command [department] regarding the policies and procedures used by

 

the command [department] to implement this subchapter.  The command

 

[department] may consult with the council to implement and

 

administer this subchapter.

 

       Sec. 2063.507 [2054.52007].  COMMAND [DEPARTMENT] POWERS

 

AND DUTIES.  (a)  The command [department] shall:

 

             (1)  approve the incident response tools the incident

 

response team may use in responding to a cybersecurity incident

 

[event];

 

             (2)  establish the eligibility criteria an individual

 

must meet to become a volunteer;

 

             (3)  develop and publish guidelines for operation of

 

the incident response team, including the:

 

                   (A)  standards and procedures the command

 

[department] uses to determine whether an individual is eligible to

 

serve as a volunteer;

 

                   (B)  process for an individual to apply for and

 

accept incident response team membership;

 

                   (C)  requirements for a participating entity to

 

receive assistance from the incident response team; and

 

                   (D)  process for a participating entity to request

 

and obtain the assistance of the incident response team; and

 

             (4)  adopt policies [rules] necessary to implement this

 

subchapter.

 

       (b)  The command [department] may require a participating

 

entity to enter into a contract as a condition for obtaining

 

assistance from the incident response team.  [The contract must

 

comply with the requirements of Chapters 771 and 791.]

 

       (c)  The command [department] may provide appropriate

 

training to prospective and approved volunteers.

 

       (d)  In accordance with state law, the command [department]

 

may provide compensation for actual and necessary travel and living

 

expenses incurred by a volunteer on a deployment using money

 

available for that purpose.

 

       (e)  The command [department] may establish a fee schedule

 

for participating entities receiving incident response team

 

assistance.  The amount of fees collected may not exceed the

 

command’s [department’s] costs to operate the incident response

 

team.

 

       Sec. 2063.508 [2054.52008].  STATUS OF VOLUNTEER;

 

LIABILITY.  (a)  A volunteer is not an agent, employee, or

 

independent contractor of this state for any purpose and has no

 

authority to obligate this state to a third party.

 

       (b)  This state is not liable to a volunteer for personal

 

injury or property damage sustained by the volunteer that arises

 

from participation in the incident response team.

 

       Sec. 2063.509 [2054.52009].  CIVIL LIABILITY.  A volunteer

 

who in good faith provides professional services in response to a

 

cybersecurity incident [event] is not liable for civil damages as a

 

result of the volunteer’s acts or omissions in providing the

 

services, except for wilful and wanton misconduct.  This immunity

 

is limited to services provided during the time of deployment for a

 

cybersecurity incident [event].

 

       Sec. 2063.510 [2054.52010].  CONFIDENTIAL INFORMATION.  

 

Information written, produced, collected, assembled, or maintained

 

by the command [department], a participating entity, the

 

cybersecurity council, or a volunteer in the implementation of this

 

subchapter is confidential and not subject to disclosure under

 

Chapter 552 if the information:

 

             (1)  contains the contact information for a volunteer;

 

             (2)  identifies or provides a means of identifying a

 

person who may, as a result of disclosure of the information, become

 

a victim of a cybersecurity incident [event];

 

             (3)  consists of a participating entity’s cybersecurity

 

plans or cybersecurity-related practices; or

 

             (4)  is obtained from a participating entity or from a

 

participating entity’s computer system in the course of providing

 

assistance under this subchapter.

 

       SECTION 17.  Subchapter E, Chapter 2059, Government Code, is

 

transferred to Chapter 2063, Government Code, as added by this Act,

 

redesignated as Subchapter G, Chapter 2063, Government Code, and

 

amended to read as follows:

 

SUBCHAPTER G [E].  REGIONAL [NETWORK] SECURITY OPERATIONS CENTERS

 

       Sec. 2063.601 [2059.201].  ELIGIBLE PARTICIPATING ENTITIES.  

 

A state agency or an entity listed in Section 2059.058 is eligible

 

to participate in cybersecurity support and network security

 

provided by a regional [network] security operations center under

 

this subchapter.

 

       Sec. 2063.602 [2059.202].  ESTABLISHMENT OF REGIONAL

 

[NETWORK] SECURITY OPERATIONS CENTERS.  (a)  Subject to Subsection

 

(b), the command [department] may establish regional [network]

 

security operations centers, under the command’s [department’s]

 

managed security services framework established by Section

 

2063.204(c) [2054.0594(d)], to assist in providing cybersecurity

 

support and network security to regional offices or locations for

 

state agencies and other eligible entities that elect to

 

participate in and receive services through the center.

 

       (b)  The command [department] may establish more than one

 

regional [network] security operations center only if the command

 

[department] determines the first center established by the command

 

[department] successfully provides to state agencies and other

 

eligible entities the services the center has contracted to

 

provide.

 

       (c)  The command [department] shall enter into an

 

interagency contract in accordance with Chapter 771 or an

 

interlocal contract in accordance with Chapter 791, as appropriate,

 

with an eligible participating entity that elects to participate in

 

and receive services through a regional [network] security

 

operations center.

 

       Sec. 2063.603 [2059.203].  REGIONAL [NETWORK] SECURITY

 

OPERATIONS CENTER LOCATIONS AND PHYSICAL SECURITY.  (a)  In

 

creating and operating a regional [network] security operations

 

center, the command may [department shall] partner with another [a]

 

university system or institution of higher education as defined by

 

Section 61.003, Education Code, other than a public junior college.  

 

The system or institution shall:

 

             (1)  serve as an education partner with the command

 

[department] for the regional [network] security operations

 

center; and

 

             (2)  enter into an interagency contract with the

 

command [department] in accordance with Chapter 771.

 

       (b)  In selecting the location for a regional [network]

 

security operations center, the command [department] shall select a

 

university system or institution of higher education that has

 

supportive educational capabilities.

 

       (c)  A university system or institution of higher education

 

selected to serve as a regional [network] security operations

 

center shall control and monitor all entrances to and critical

 

areas of the center to prevent unauthorized entry.  The system or

 

institution shall restrict access to the center to only authorized

 

individuals.

 

       (d)  A local law enforcement entity or any entity providing

 

security for a regional [network] security operations center shall

 

monitor security alarms at the regional [network] security

 

operations center subject to the availability of that service.

 

       (e)  The command [department] and a university system or

 

institution of higher education selected to serve as a regional

 

[network] security operations center shall restrict operational

 

information to only center personnel, except as provided by Chapter

 

321.

 

       Sec. 2063.604 [2059.204].  REGIONAL [NETWORK] SECURITY

 

OPERATIONS CENTERS SERVICES AND SUPPORT.  The command [department]

 

may offer the following managed security services through a

 

regional [network] security operations center:

 

             (1)  real-time network security monitoring to detect

 

and respond to network security events that may jeopardize this

 

state and the residents of this state;

 

             (2)  alerts and guidance for defeating network security

 

threats, including firewall configuration, installation,

 

management, and monitoring, intelligence gathering, and protocol

 

analysis;

 

             (3)  immediate response to counter network security

 

activity that exposes this state and the residents of this state to

 

risk, including complete intrusion detection system installation,

 

management, and monitoring for participating entities;

 

             (4)  development, coordination, and execution of

 

statewide cybersecurity operations to isolate, contain, and

 

mitigate the impact of network security incidents for participating

 

entities; and

 

             (5)  cybersecurity educational services.

 

       Sec. 2063.605 [2059.205].  NETWORK SECURITY GUIDELINES AND

 

STANDARD OPERATING PROCEDURES.  (a)  The command [department] shall

 

adopt and provide to each regional [network] security operations

 

center appropriate network security guidelines and standard

 

operating procedures to ensure efficient operation of the center

 

with a maximum return on the state’s investment.

 

       (b)  The command [department] shall revise the standard

 

operating procedures as necessary to confirm network security.

 

       (c)  Each eligible participating entity that elects to

 

participate in a regional [network] security operations center

 

shall comply with the network security guidelines and standard

 

operating procedures.

 

       SECTION 18.  Section 325.011, Government Code, is amended to

 

read as follows:

 

       Sec. 325.011.  CRITERIA FOR REVIEW.  The commission and its

 

staff shall consider the following criteria in determining whether

 

a public need exists for the continuation of a state agency or its

 

advisory committees or for the performance of the functions of the

 

agency or its advisory committees:

 

             (1)  the efficiency and effectiveness with which the

 

agency or the advisory committee operates;

 

             (2)(A)  an identification of the mission, goals, and

 

objectives intended for the agency or advisory committee and of the

 

problem or need that the agency or advisory committee was intended

 

to address; and

 

                   (B)  the extent to which the mission, goals, and

 

objectives have been achieved and the problem or need has been

 

addressed;

 

             (3)(A)  an identification of any activities of the

 

agency in addition to those granted by statute and of the authority

 

for those activities; and

 

                   (B)  the extent to which those activities are

 

needed;

 

             (4)  an assessment of authority of the agency relating

 

to fees, inspections, enforcement, and penalties;

 

             (5)  whether less restrictive or alternative methods of

 

performing any function that the agency performs could adequately

 

protect or provide service to the public;

 

             (6)  the extent to which the jurisdiction of the agency

 

and the programs administered by the agency overlap or duplicate

 

those of other agencies, the extent to which the agency coordinates

 

with those agencies, and the extent to which the programs

 

administered by the agency can be consolidated with the programs of

 

other state agencies;

 

             (7)  the promptness and effectiveness with which the

 

agency addresses complaints concerning entities or other persons

 

affected by the agency, including an assessment of the agency’s

 

administrative hearings process;

 

             (8)  an assessment of the agency’s rulemaking process

 

and the extent to which the agency has encouraged participation by

 

the public in making its rules and decisions and the extent to which

 

the public participation has resulted in rules that benefit the

 

public;

 

             (9)  the extent to which the agency has complied with:

 

                   (A)  federal and state laws and applicable rules

 

regarding equality of employment opportunity and the rights and

 

privacy of individuals; and

 

                   (B)  state law and applicable rules of any state

 

agency regarding purchasing guidelines and programs for

 

historically underutilized businesses;

 

             (10)  the extent to which the agency issues and

 

enforces rules relating to potential conflicts of interest of its

 

employees;

 

             (11)  the extent to which the agency complies with

 

Chapters 551 and 552 and follows records management practices that

 

enable the agency to respond efficiently to requests for public

 

information;

 

             (12)  the effect of federal intervention or loss of

 

federal funds if the agency is abolished;

 

             (13)  the extent to which the purpose and effectiveness

 

of reporting requirements imposed on the agency justifies the

 

continuation of the requirement; and

 

             (14)  an assessment of the agency’s cybersecurity

 

practices using confidential information available from the

 

Department of Information Resources, the Texas Cyber Command, or

 

any other appropriate state agency.

 

       SECTION 19.  Section 11.175(h-1), Education Code, is amended

 

to read as follows:

 

       (h-1)  Notwithstanding Section 2063.103 [2054.5191],

 

Government Code, only the district’s cybersecurity coordinator is

 

required to complete the cybersecurity training under that section

 

on an annual basis.  Any other school district employee required to

 

complete the cybersecurity training shall complete the training as

 

determined by the district, in consultation with the district’s

 

cybersecurity coordinator.

 

       SECTION 20.  Section 38.307(e), Education Code, is amended

 

to read as follows:

 

       (e)  The agency shall maintain the data collected by the task

 

force and the work product of the task force in accordance with:

 

             (1)  the agency’s information security plan under

 

Section 2063.403 [2054.133], Government Code; and

 

             (2)  the agency’s records retention schedule under

 

Section 441.185, Government Code.

 

       SECTION 21.  Section 61.003(6), Education Code, is amended

 

to read as follows:

 

             (6)  “Other agency of higher education” means The

 

University of Texas System, System Administration; The University

 

of Texas at El Paso Museum; Texas Epidemic Public Health Institute

 

at The University of Texas Health Science Center at Houston; the

 

Texas Cyber Command; The Texas A&M University System,

 

Administrative and General Offices; Texas A&M AgriLife Research;

 

Texas A&M AgriLife Extension Service; Rodent and Predatory Animal

 

Control Service (a part of the Texas A&M AgriLife Extension

 

Service); Texas A&M Engineering Experiment Station (including the

 

Texas A&M Transportation Institute); Texas A&M Engineering

 

Extension Service; Texas A&M Forest Service; Texas Division of

 

Emergency Management; Texas Tech University Museum; Texas State

 

University System, System Administration; Sam Houston Memorial

 

Museum; Panhandle-Plains Historical Museum; Cotton Research

 

Committee of Texas; Texas Water Resources Institute; Texas A&M

 

Veterinary Medical Diagnostic Laboratory; and any other unit,

 

division, institution, or agency which shall be so designated by

 

statute or which may be established to operate as a component part

 

of any public senior college or university, or which may be so

 

classified as provided in this chapter.

 

       SECTION 22.  Section 65.02(a), Education Code, is amended to

 

read as follows:

 

       (a)  The University of Texas System is composed of the

 

following institutions and entities:

 

             (1)  The University of Texas at Arlington;

 

             (2)  The University of Texas at Austin;

 

             (3)  The University of Texas at Dallas;

 

             (4)  The University of Texas at El Paso;

 

             (5)  The University of Texas Permian Basin;

 

             (6)  The University of Texas at San Antonio;

 

             (7)  The University of Texas Southwestern Medical

 

Center;

 

             (8)  The University of Texas Medical Branch at

 

Galveston;

 

             (9)  The University of Texas Health Science Center at

 

Houston;

 

             (10)  The University of Texas Health Science Center at

 

San Antonio;

 

             (11)  The University of Texas M. D. Anderson Cancer

 

Center;

 

             (12)  Stephen F. Austin State University, a member of

 

The University of Texas System;

 

             (13)  The University of Texas at Tyler; [and]

 

             (14)  The University of Texas Rio Grande Valley; and

 

             (15)  the Texas Cyber Command (Chapter 2063, Government

 

Code).

 

       SECTION 23.  Sections 772.012(b) and (c), Government Code,

 

are amended to read as follows:

 

       (b)  To apply for a grant under this chapter, a local

 

government must submit with the grant application a written

 

certification of the local government’s compliance with the

 

cybersecurity training required by Section 2063.103 [2054.5191].

 

       (c)  On a determination by the criminal justice division

 

established under Section 772.006 that a local government awarded a

 

grant under this chapter has not complied with the cybersecurity

 

training required by Section 2063.103 [2054.5191], the local

 

government shall pay to this state an amount equal to the amount of

 

the grant award.  A local government that is the subject of a

 

determination described by this subsection is ineligible for

 

another grant under this chapter until the second anniversary of

 

the date the local government is determined ineligible.

 

       SECTION 24.  Section 2054.0701(c), Government Code, is

 

amended to read as follows:

 

       (c)  A program offered under this section must:

 

             (1)  be approved by the Texas Higher Education

 

Coordinating Board in accordance with Section 61.0512, Education

 

Code;

 

             (2)  develop the knowledge and skills necessary for an

 

entry-level information technology position in a state agency; and

 

             (3)  include a one-year apprenticeship with:

 

                   (A)  the department;

 

                   (B)  another relevant state agency;

 

                   (C)  an organization working on a major

 

information resources project; or

 

                   (D)  a regional network security center

 

established under Section 2063.602 [2059.202].

 

       SECTION 25.  Section 2056.002(b), Government Code, is

 

amended to read as follows:

 

       (b)  The Legislative Budget Board and the governor’s office

 

shall determine the elements required to be included in each

 

agency’s strategic plan.  Unless modified by the Legislative Budget

 

Board and the governor’s office, and except as provided by

 

Subsection (c), a plan must include:

 

             (1)  a statement of the mission and goals of the state

 

agency;

 

             (2)  a description of the indicators developed under

 

this chapter and used to measure the output and outcome of the

 

agency;

 

             (3)  identification of the groups of people served by

 

the agency, including those having service priorities, or other

 

service measures established by law, and estimates of changes in

 

those groups expected during the term of the plan;

 

             (4)  an analysis of the use of the agency’s resources to

 

meet the agency’s needs, including future needs, and an estimate of

 

additional resources that may be necessary to meet future needs;

 

             (5)  an analysis of expected changes in the services

 

provided by the agency because of changes in state or federal law;

 

             (6)  a description of the means and strategies for

 

meeting the agency’s needs, including future needs, and achieving

 

the goals established under Section 2056.006 for each area of state

 

government for which the agency provides services;

 

             (7)  a description of the capital improvement needs of

 

the agency during the term of the plan and a statement, if

 

appropriate, of the priority of those needs;

 

             (8)  identification of each geographic region of this

 

state, including the Texas-Louisiana border region and the

 

Texas-Mexico border region, served by the agency, and if

 

appropriate the agency’s means and strategies for serving each

 

region;

 

             (9)  a description of the training of the agency’s

 

contract managers under Section 656.052;

 

             (10)  an analysis of the agency’s expected expenditures

 

that relate to federally owned or operated military installations

 

or facilities, or communities where a federally owned or operated

 

military installation or facility is located;

 

             (11)  an analysis of the strategic use of information

 

resources as provided by the instructions prepared under Section

 

2054.095;

 

             (12)  a written certification of the agency’s

 

compliance with the cybersecurity training required under Sections

 

2063.103 [2054.5191] and 2063.104 [2054.5192]; and

 

             (13)  other information that may be required.

 

       SECTION 26.  (a)  In this section, “department” means the

 

Department of Information Resources.

 

       (b)  On the effective date of this Act:

 

             (1)  the Texas Cyber Command, organized as provided by

 

Section 2063.002, Government Code, as added by this Act, is created

 

with the powers and duties assigned by Chapter 2063, Government

 

Code, as added by this Act; and

 

             (2)  the chief information security officer of the

 

department becomes the chief of the Texas Cyber Command, as

 

described by Section 2063.0025, Government Code, as added by this

 

Act.

 

       (c)  Notwithstanding Subsection (b) of this section, the

 

department shall continue to perform duties and exercise powers

 

under Chapter 2054, Government Code, as that law existed

 

immediately before the effective date of this Act, until the date

 

provided by the memorandum of understanding entered into under

 

Subsection (e) of this section.

 

       (d)  Not later than December 31, 2026:

 

             (1)  all functions and activities performed by the

 

department that relate to cybersecurity under Chapter 2063,

 

Government Code, as added by this Act, are transferred to the Texas

 

Cyber Command;

 

             (2)  all employees of the department who primarily

 

perform duties related to cybersecurity, including employees who

 

provide administrative support for those services, under Chapter

 

2063, Government Code, as added by this Act, become employees of the

 

Texas Cyber Command, but continue to work in the same physical

 

location unless moved in accordance with the memorandum of

 

understanding entered into under Subsection (e) of this section;

 

             (3)  a rule or form adopted by the department that

 

relates to cybersecurity under Chapter 2063, Government Code, as

 

added by this Act, is a rule or form of the Texas Cyber Command and

 

remains in effect until changed by the command;

 

             (4)  a reference in law to the department that relates

 

to cybersecurity under Chapter 2063, Government Code, as added by

 

this Act, means the Texas Cyber Command;

 

             (5)  a contract negotiation or other proceeding

 

involving the department that is related to cybersecurity under

 

Chapter 2063, Government Code, as added by this Act, is transferred

 

without change in status to the Texas Cyber Command, and the Texas

 

Cyber Command assumes, without a change in status, the position of

 

the department in a negotiation or proceeding relating to

 

cybersecurity to which the department is a party;

 

             (6)  all money, contracts, leases, rights, and

 

obligations of the department related to cybersecurity under

 

Chapter 2063, Government Code, as added by this Act, are

 

transferred to the Texas Cyber Command;

 

             (7)  all property, including records, in the custody of

 

the department related to cybersecurity under Chapter 2063,

 

Government Code, as added by this Act, becomes property of the Texas

 

Cyber Command, but stays in the same physical location unless moved

 

in accordance with the specific steps and methods created under

 

Subsection (e) of this section; and

 

             (8)  all funds appropriated by the legislature to the

 

department for purposes related to cybersecurity, including funds

 

for providing administrative support, under Chapter 2063,

 

Government Code, as added by this Act, are transferred to the Texas

 

Cyber Command.

 

       (e)  Not later than January 1, 2026, the department and the

 

board of regents of The University of Texas System shall enter into

 

a memorandum of understanding relating to the transfer of powers

 

and duties from the department to the Texas Cyber Command as

 

provided by this Act. The memorandum must include:

 

             (1)  a timetable and specific steps and methods for the

 

transfer of all powers, duties, obligations, rights, contracts,

 

leases, records, real or personal property, and unspent and

 

unobligated appropriations and other funds relating to the

 

administration of the powers and duties as provided by this Act;

 

             (2)  measures to ensure against any unnecessary

 

disruption to cybersecurity operations during the transfer

 

process; and

 

             (3)  a provision that the terms of any memorandum of

 

understanding entered into related to the transfer remain in effect

 

until the transfer is completed.

 

       SECTION 27.  This Act takes effect September 1, 2025. 

About the author: Support Systems
Tell us something about yourself.
error

Enjoy this blog? Please spread the word :)

T-SPAN Texas