Relating to the continuation and functions of the Department of Information Resources, including the composition of the governing body of the department.
relating to the continuation and functions of the Department of
Information Resources, including the composition of the governing
body of the department.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subchapter C, Chapter 656, Government Code, is
amended by adding Sections 656.0505 and 656.0506 to read as
follows:
Sec. 656.0505. VOLUNTARY CERTIFICATION COURSE ON
PROCUREMENT OF INFORMATION RESOURCES TECHNOLOGIES. (a) In this
section:
(1) “Department” means the Department of Information
Resources.
(2) “Information resources technologies” has the
meaning assigned by Section 2054.003.
(b) In coordination with the comptroller, the department
shall develop and implement a certification course on the
procurement of information resources technologies and make the
course available to a person who:
(1) holds a purchasing certification issued under
Section 656.051;
(2) holds a contract management certification issued
under Section 656.052; or
(3) holds both certifications described by
Subdivisions (1) and (2).
(c) The department shall provide the course at least
quarterly and must provide the course in person.
(d) The department shall certify a state agency employee who
successfully completes the course.
(e) Successful completion of the course may be credited
toward any continuing education requirements for maintaining a
certification under Section 656.051 or 656.052, or both.
Sec. 656.0506. TRAINING ON PURCHASES OF INFORMATION
RESOURCES TECHNOLOGIES FOR CERTAIN STATE AGENCY OFFICERS AND
EMPLOYEES. (a) In this section:
(1) “Department” means the Department of Information
Resources.
(2) “Information resources technologies” has the
meaning assigned by Section 2054.003.
(b) The department shall develop and provide annual
training for persons who serve in upper management positions at
state agencies, including elected or appointed state officers and
executive heads of state agencies on best practices and
methodologies for purchasing information resources technologies.
(c) The department shall include in the training provided
under Subsection (b) information the department covers in the
certification programs established by Sections 656.051 and 656.052
that is related to the purchase of information resources
technologies. The department may include additional topics in the
training.
(d) The department may not require a person described by
Subsection (b) to participate in the training.
SECTION 2. Section 2054.003(13), Government Code, is
amended to read as follows:
(13) “State agency” means, except as otherwise
provided by this chapter, a department, commission, board, office,
council, authority, or other agency in the executive or judicial
branch of state government that is created by the constitution or a
statute of this state, including a university system or institution
of higher education as defined by Section 61.003, Education Code.
SECTION 3. Section 2054.005, Government Code, is amended to
read as follows:
Sec. 2054.005. SUNSET PROVISION. [(a)] The Department of
Information Resources is subject to Chapter 325 (Texas Sunset Act).
Unless continued in existence as provided by that chapter, the
department is abolished [and this chapter expires] September 1,
2037 [2025].
SECTION 4. Section 2054.021, Government Code, is amended by
amending Subsections (a), (c), (f), (g), and (h) and adding
Subsections (a-1), (c-1), (c-2), and (i) to read as follows:
(a) For purposes of this section, “state agency” has the
meaning assigned by Section 2054.003 but does not include a
department, commission, board, office, council, authority, or
other agency in the judicial branch of state government.
(a-1) The department is governed by a board composed of 11
members as follows:
(1) seven voting members appointed by the governor
with the advice and consent of the senate; and
(2) four nonvoting members as provided by Subsection
(c). [One member must be employed by an institution of higher
education as defined by Section 61.003, Education Code.]
(c) The governor shall appoint the four nonvoting members of
the board as follows:
(1) one member who is an employee of an institution of
higher education, as defined by Section 61.003, Education Code;
(2) two members who are employees of state agencies
that are on the list provided under Subsection (c-1); and
(3) one member who is an employee of a state agency
with fewer than 500 full-time employees.
(c-1) Not later than December 1 of each even-numbered year,
the department shall provide the governor a list of the 10 state
agencies that spent the most money on products and services of the
department during the previous state fiscal year.
(c-2) A nonvoting member of the board serves for a two-year
term that expires February 1 of each odd-numbered year. [Two groups
each composed of three ex officio members serve on the board on a
rotating basis. The ex officio members serve as nonvoting members
of the board. Only one group serves at a time. The first group is
composed of the commissioner of insurance, the executive
commissioner of the Health and Human Services Commission, and the
executive director of the Texas Department of Transportation.
Members of the first group serve for two-year terms that begin
February 1 of every other odd-numbered year and that expire on
February 1 of the next odd-numbered year. The second group is
composed of the commissioner of education, the executive director
of the Texas Department of Criminal Justice, and the executive
director of the Parks and Wildlife Department. Members of the
second group serve for two-year terms that begin February 1 of the
odd-numbered years in which the terms of members of the first group
expire and that expire on February 1 of the next odd-numbered year.]
(f) A [To be eligible to take office or serve as a voting or
nonvoting member of the board, a] person who is appointed to and
qualifies for office as a member of the board may not vote,
deliberate, or be counted as a member in attendance at a meeting of
the board until the person:
(1) completes [appointed to or scheduled to serve as
an ex officio member of the board must complete at least one course
of] a training program that complies with Subsection (g); and
(2) signs and submits to the executive director a
statement acknowledging that the member completed the training
program and the training required under Section 656.053 [this
section]. [A voting or nonvoting board member must complete a
training program that complies with Subsection (g) not later than
the 180th day after the date on which the person takes office or
begins serving as a member of the board.]
(g) The training program must provide the person with
information [to the person] regarding:
(1) the law governing department operations [this
chapter] and the board to which the person is appointed to serve;
(2) the programs, functions, rules, and budget of
[operated by] the department;
(3) the scope of and limitations on the rulemaking
authority of the department [the role and functions of the
department];
(4) the results of the most recent formal audit of the
department [rules of the department, with an emphasis on the rules
that relate to disciplinary and investigatory authority];
(5) the requirements of:
(A) laws relating to open meetings, public
information, administrative procedure, and disclosing conflicts of
interest; and
(B) other laws applicable to members of a state
policy-making body in performing their duties [current budget for
the department];
(6) [the results of the most recent formal audit of the
department;
[(7) the requirements of the:
[(A) open meetings law, Chapter 551;
[(B) open records law, Chapter 552; and
[(C) administrative procedure law, Chapter 2001;
[(8) the requirements of the conflict of interest laws
and other laws relating to public officials;
[(9)] any applicable ethics policies adopted by the
department or the Texas Ethics Commission; and
(7) [(10)] contract management training.
(h) A person appointed to the board is entitled to
reimbursement, as provided by the General Appropriations Act, for
travel expenses incurred in attending the training program,
regardless of whether the attendance at the program occurs before
or after the person qualifies for office [as provided by the General
Appropriations Act and as if the person were a member of the board ].
(i) The executive director shall create a training manual
that includes the information required by Subsection (g). The
executive director shall distribute a copy of the training manual
annually to each member of the board. Each member of the board
shall sign and submit to the executive director a statement
acknowledging that the member received and has reviewed the
training manual.
SECTION 5. Section 2054.024(c), Government Code, is amended
to read as follows:
(c) If the final result of an action brought in a court of
competent jurisdiction is that a board [an ex officio or other]
member [of the board] may not serve on the board under the Texas
Constitution, the [appropriate individual shall promptly submit a
list to the] governor shall appoint [for the appointment of] a
replacement who may serve.
SECTION 6. The heading to Section 2054.033, Government
Code, is amended to read as follows:
Sec. 2054.033. ESTABLISHMENT OF ADVISORY COMMITTEES;
ADMINISTRATION AND REQUIREMENTS.
SECTION 7. Section 2054.033, Government Code, is amended by
amending Subsection (a) and adding Subsections (e), (f), and (g) to
read as follows:
(a) The board and the executive director, if authorized by
the board, by rule may establish [appoint] advisory committees as
the department considers necessary to provide expertise to the
department.
(e) With respect to an advisory committee whose
jurisdiction covers a service provided by the department to state
agencies, in appointing members to the advisory committee the board
shall:
(1) to the extent practicable, ensure that the
advisory committee is composed of a cross-section of the
department’s customers who use the service; and
(2) appoint, in addition to the member required by
Subsection (d), at least one member who is an employee of a state
agency with 500 or fewer full-time employees.
(f) The board shall adopt rules to govern each advisory
committee of the department. The rules must include:
(1) the purpose, role, goals, composition, and
duration of the advisory committee;
(2) as to the advisory committee members:
(A) the appointment procedures, terms, and
quorum requirements;
(B) conflict-of-interest policies; and
(C) as advisable, member qualifications or
training requirements;
(3) as appropriate, a method the department must use
to receive public input on issues considered by the advisory
committee; and
(4) as appropriate, a method for sharing findings and
information of the advisory committee with the public and the
board.
(g) Except as otherwise provided by this chapter, an
advisory committee of the department is subject to Chapter 2110.
SECTION 8. Subchapter B, Chapter 2054, Government Code, is
amended by adding Sections 2054.0333, 2054.0335, and 2054.0337 to
read as follows:
Sec. 2054.0333. ADVISORY COMMITTEES ON DEPARTMENT
FUNCTIONS REQUIRED. The board by rule shall establish advisory
committees under Section 2054.033 that advise the board on
governing the department and cover in subject matter the
department’s primary functions, including at least one advisory
committee for each of the following subjects:
(1) procurement under Subchapter B, Chapter 2157;
(2) the development and implementation of information
security programs; and
(3) the preparation of the state strategic plan
required by Section 2054.091.
Sec. 2054.0335. STATEWIDE INFORMATION SECURITY ADVISORY
COMMITTEE. (a) The board by rule shall establish an advisory
committee under Section 2054.033 to make recommendations to the
department on improving the effectiveness of the department’s and
this state’s information security operations.
(b) The advisory committee must include members who are
information security professionals employed by state agencies and
local governments.
(c) The presiding officer of the advisory committee is the
chief information security officer under Section 2054.510.
Sec. 2054.0337. CUSTOMER ADVISORY COMMITTEE. (a) The
board by rule shall establish an advisory committee under Section
2054.033 to report to and advise the board on improving the
effectiveness and efficiency of services provided by the department
to customers.
(b) The board shall appoint advisory committee members who
are employees of state agencies that:
(1) use the department’s services; and
(2) have 500 or fewer full-time employees, including
at least three members who are employees of state agencies that have
150 or fewer full-time employees.
SECTION 9. Section 2054.035(b), Government Code, is amended
to read as follows:
(b) The department shall prepare information of public
interest describing the functions of the department [and the
procedures by which complaints are filed with and resolved by the
department]. The department shall make the information available
to the public and appropriate state agencies.
SECTION 10. Section 2054.036, Government Code, is amended
to read as follows:
Sec. 2054.036. COMPLAINTS. (a) The department shall
maintain a system to promptly and efficiently act on complaints
filed with the department. The department shall maintain
information about parties to the complaint, the subject matter of
the complaint, and a summary of the results of the review or
investigation of the complaint, and its disposition. [keep a file
about each written complaint filed with the department that the
department has authority to resolve. The department shall provide
to the person filing the complaint and the persons or entities
complained about the department’s policies and procedures
pertaining to complaint investigation and resolution. The
department, at least quarterly and until final disposition of the
complaint, shall notify the person filing the complaint and the
persons or entities complained about of the status of the complaint
unless the notice would jeopardize an undercover investigation.]
(b) The department shall make information available
describing its procedures for complaint investigation and
resolution [keep information about each complaint filed with the
department]. [The information shall include:
[(1) the date the complaint is received;
[(2) the name of the complainant;
[(3) the subject matter of the complaint;
[(4) a record of all persons contacted in relation to
the complaint;
[(5) a summary of the results of the review or
investigation of the complaint; and
[(6) for complaints for which the department took no
action, an explanation of the reason the complaint was closed
without action.]
(c) The department shall periodically notify the complaint
parties of the status of the complaint until final disposition
unless the notice would jeopardize an ongoing investigation.
SECTION 11. Sections 2054.055(b) and (b-2), Government
Code, are amended to read as follows:
(b) The report must:
(1) assess the progress made toward meeting the goals
and objectives of the state strategic plan for information
resources management;
(2) describe major accomplishments of the state or a
specific state agency in information resources management;
(3) describe major problems in information resources
management confronting the state or a specific state agency;
(4) provide a summary of the total expenditures for
information resources and information resources technologies by
the state;
(5) make recommendations for improving the
effectiveness and cost-efficiency of the state’s use of information
resources;
(6) describe the status, progress, benefits, and
efficiency gains of the state electronic Internet portal project,
including any significant issues regarding contract performance;
(7) provide a financial summary of the state
electronic Internet portal project, including project costs and
revenues;
(8) [provide a summary of the amount and use of
Internet-based training conducted by each state agency and
institution of higher education;
[(9)] provide a summary of agency and statewide
results in providing access to electronic and information resources
to individuals with disabilities as required by Subchapter M;
(9) [(10)] assess the progress made toward
accomplishing the goals of the plan for a state telecommunications
network and developing a system of telecommunications services as
provided by Subchapter H; and
(10) [(11)] identify proposed major information
resources projects for the next state fiscal biennium, including
project costs through stages of the project and across state fiscal
years from project initiation to implementation.
(b-2) The information required under Subsection (b)(10)
[(b)(11)] must include:
(1) final total cost of ownership budget data for the
entire life cycle of the major information resources project,
including capital and operational costs that itemize staffing
costs, contracted services, hardware purchased or leased, software
purchased or leased, travel, and training;
(2) the original project schedule and the final actual
project schedule;
(3) data on the progress toward meeting the original
goals and performance measures of the project, specifically those
related to operating budget savings;
(4) lessons learned on the project, performance
evaluations of any vendors used in the project, and reasons for
project delays or cost increases; and
(5) the benefits, cost avoidance, and cost savings
generated by major technology resources projects.
SECTION 12. Subchapter C, Chapter 2054, Government Code, is
amended by adding Section 2054.057 to read as follows:
Sec. 2054.057. PROCUREMENT SERVICES PILOT PROGRAM. (a) In
this section:
(1) “Participating state agency” means a state agency
that the department has approved to participate in the pilot
program.
(2) “Pilot program” means the procurement services
pilot program established under this section.
(3) “State agency” means a board, commission, office,
department, or other agency in the executive, judicial, or
legislative branch of state government. The term does not include
an institution of higher education, as defined by Section 61.003,
Education Code.
(b) The department shall establish a pilot program under
which the department provides assistance in the procurement of
information resources technologies on request by a participating
state agency.
(c) A state agency may participate in the pilot program only
if the department approves of the participation in writing.
(d) The department may limit the:
(1) number of participating state agencies in the
pilot program; and
(2) types of information resources technologies for
which procurement assistance is provided under the pilot program.
(e) Services under the pilot program may include assistance
with:
(1) procurement planning;
(2) developing a cost estimate for an information
resources technologies project; and
(3) drafting and developing a solicitation.
(f) With respect to any procurement assistance provided by
the department under the pilot program, the department:
(1) may not control the procurement for which the
assistance is provided or the management of any resulting contract;
and
(2) is not civilly liable for damages resulting from
the provision of procurement assistance unless the damages result
from intentional conduct or gross negligence.
(g) Not later than December 1, 2028, the department shall
submit a report to the legislature that includes a summary of the
pilot program’s activities and a recommendation of whether to
continue or expand the program.
(h) This section expires January 1, 2029.
SECTION 13. Section 2054.075(b), Government Code, is
amended to read as follows:
(b) Each state agency information resources manager is part
of the agency’s executive management and reports directly to the
executive head or deputy executive head of the agency. Each state
agency shall report to the department the extent and results of its
compliance with this subsection and include with the report an
organizational chart showing the structure of the personnel in the
agency’s executive management. [The department shall report the
extent and results of state agencies’ compliance with this
subsection to the legislature.]
SECTION 14. Section 2054.097, Government Code, is amended
by adding Subsections (c), (d), and (e) to read as follows:
(c) Once every two years, the department shall conduct a
limited evaluation of the information resources deployment review
of at least five state agencies to verify the accuracy of those
reviews. The department may limit the evaluation to review
responses on subjects that represent the highest risks or greatest
opportunities for improvement regarding the state agency’s
software, hardware, compliance, and cybersecurity.
(d) The department is not required to conduct site visits as
part of the limited evaluation required by Subsection (c).
(e) The department shall use information received from the
limited evaluation required by Subsection (c) to:
(1) update trainings for and outreach to information
resources managers on accurately completing the information
resources deployment review; and
(2) recommend information resources technology
solutions to state agencies as needed.
SECTION 15. Section 2054.2606(c), Government Code, is
amended to read as follows:
(c) A licensing entity that establishes a profile system
under this section shall determine the information to be included
in the system and the manner for collecting and reporting the
information. At a minimum, the entity shall include the following
information in the profile system:
(1) the name of the license holder and the address and
telephone number of the license holder’s primary practice location;
(2) whether the license holder’s patient, client,
user, customer, or consumer service areas, as applicable, are
accessible to [disabled] persons with disabilities, as defined by
federal law;
(3) the type of language translating services,
including translating services for a person who is deaf or hard
[with impairment] of hearing, that the license holder provides for
patients, clients, users, customers, or consumers, as applicable;
(4) if applicable, insurance information, including
whether the license holder participates in the state child health
plan under Chapter 62, Health and Safety Code, or the Medicaid
program;
(5) the education and training received by the license
holder, as required by the licensing entity;
(6) any specialty certification held by the license
holder;
(7) the number of years the person has practiced as a
license holder; and
(8) if applicable, any hospital affiliation of the
license holder.
SECTION 16. Section 2054.456(a), Government Code, is
amended to read as follows:
(a) Each state agency shall, in developing, procuring,
maintaining, or using electronic and information resources, ensure
that state employees with disabilities have access to and the use of
those resources comparable to the access and use available to state
employees without disabilities, unless compliance with this
section imposes a significant difficulty or expense on the agency
under Section 2054.460. Subject to Section 2054.460, the agency
shall take reasonable steps to ensure that an [a disabled] employee
with a disability has reasonable access to perform the employee’s
duties.
SECTION 17. The heading to Section 2054.515, Government
Code, is amended to read as follows:
Sec. 2054.515. AGENCY DATA GOVERNANCE [INFORMATION
SECURITY] ASSESSMENT AND REPORT.
SECTION 18. Section 2054.515, Government Code, is amended
by amending Subsections (a), (c), and (d) and adding Subsection
(a-1) to read as follows:
(a) At least once every two years, each state agency shall
conduct an [information security] assessment of the agency’s[:
[(1) information resources systems, network systems,
digital data storage systems, digital data security measures, and
information resources vulnerabilities; and
[(2)] data governance program with participation from
the agency’s data management officer, if applicable, and in
accordance with requirements established by department rule.
(a-1) Not later than June 1 of each even-numbered year, each
state agency shall report the results of the assessment conducted
under Subsection (a) to:
(1) the department; and
(2) on request, the governor, the lieutenant governor,
and the speaker of the house of representatives.
(c) The department by rule shall establish the requirements
for the [information security] assessment and report required by
this section.
(d) The report and all documentation related to the
[information security] assessment and report are confidential and
not subject to disclosure under Chapter 552. The state agency or
department may redact or withhold the information as confidential
under Chapter 552 without requesting a decision from the attorney
general under Subchapter G, Chapter 552.
SECTION 19. Sections 2054.5191(a), (a-1), and (a-2),
Government Code, are amended to read as follows:
(a) At least once each year, each employee of a [Each] state
agency [shall identify state employees who use a computer to
complete at least 25 percent of the employee’s required duties. At
least once each year, an employee identified by the state agency]
and each elected or appointed officer of the agency shall complete a
cybersecurity training program certified under Section 2054.519.
(a-1) At least once each year, each employee and each
elected or appointed official of a local government shall[:
[(1) identify local government employees and elected
and appointed officials who have access to a local government
computer system or database and use a computer to perform at least
25 percent of the employee’s or official’s required duties; and
[(2) require the employees and officials identified
under Subdivision (1) to] complete a cybersecurity training program
certified under Section 2054.519.
(a-2) The governing body of a local government or the
governing body’s designee may deny access to the local government’s
computer system or database to an employee or official of the local
government [an individual described by Subsection (a-1)(1)] who the
governing body or the governing body’s designee determines is
noncompliant with the requirements of Subsection (a-1) [(a-1)(2)].
SECTION 20. Subchapter N-1, Chapter 2054, Government Code,
is amended by adding Section 2054.5195 to read as follows:
Sec. 2054.5195. INFORMATION SECURITY ASSESSMENT AND
PENETRATION TEST REQUIRED. (a) This section does not apply to a
university system or institution of higher education as defined by
Section 61.003, Education Code.
(b) At least once every two years, the department shall
require each state agency to complete an information security
assessment and a penetration test to be performed by the department
or, at the department’s discretion, a vendor selected by the
department.
(c) The department shall establish rules as necessary to
implement this section, including rules for the procurement of a
vendor under Subsection (b).
SECTION 21. The following provisions of the Government Code
are repealed:
(1) Section 2054.021(d);
(2) Section 2054.023(c);
(3) Section 2054.0331;
(4) Section 2054.091(d);
(5) Section 2054.0925(c);
(6) Section 2054.515(b), as amended by Chapter 567
(S.B. 475), Acts of the 87th Legislature, Regular Session, 2021;
and
(7) Section 2054.515(b), as amended by Chapter 856
(S.B. 800), Acts of the 87th Legislature, Regular Session, 2021.
SECTION 22. (a) In this section, “institution of higher
education” has the meaning assigned by Section 61.003, Education
Code.
(b) As soon as possible after the effective date of this
Act, as the terms of members of the governing board of the
Department of Information Resources expire or as vacancies occur,
the governor shall appoint members to the board so that the board is
composed in accordance with Section 2054.021, Government Code, as
amended by this Act, except that the term of the member of the board
serving on the board immediately before the effective date of this
Act who holds the position of the member who is employed by an
institution of higher education expires on that date. A member of
the governing board whose term expires under this subsection is
eligible for reappointment under Subsection (c) of this section.
(c) Not later than December 1, 2025, the governor shall
appoint the following members to the governing board of the
Department of Information Resources in accordance with Section
2054.021, Government Code, as amended by this Act:
(1) one voting member to serve a term that expires
February 1, 2031; and
(2) one nonvoting member to the position of the member
who is employed by an institution of higher education to serve a
term that expires February 1, 2027.
SECTION 23. (a) Except as provided by Subsection (b) of
this section, Section 2054.021(f), Government Code, as amended by
this Act, applies to a member of the governing board of the
Department of Information Resources appointed before, on, or after
the effective date of this Act.
(b) A member of the governing board of the Department of
Information Resources who, before the effective date of this Act,
completed the training program required by Section 2054.021(f),
Government Code, and described in Section 2054.021(g), Government
Code, as that law existed before the effective date of this Act, is
only required to complete additional training on the subjects added
by this Act to the training program described by Section
2054.021(g), Government Code. A member described by this
subsection may not vote, deliberate, or be counted as a member in
attendance at a meeting of the board held on or after December 1,
2025, until the member completes the additional training.
SECTION 24. This Act takes effect September 1, 2025.
