By: Capriglione H.B. No. 3892       A BILL TO BE ENTITLED   AN ACT   relating to matters concerning governmental entities, including   cybersecurity, governmental efficiencies, information resources,   and emergency planning.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  Section 37.108(b), Education Code, is amended to   read as follows:          (b)  At least once every three years, each school district or   public junior college district shall conduct a safety and security   audit of the district's facilities, including an information   technology cybersecurity assessment. To the extent possible, a   district shall follow safety and security audit procedures   developed by the Texas School Safety Center or a person included in   the registry established by the Texas School Safety Center under   Section 37.2091.          SECTION 2.  Subchapter A, Chapter 31, Election Code, is   amended by adding Section 31.017 to read as follows:          Sec. 31.017.  STUDY ON USE OF ARTIFICIAL INTELLIGENCE FOR   SIGNATURE VERIFICATION. (a) The secretary of state shall conduct a   study on the use of artificial intelligence to verify signatures on   carrier envelope certificates for early voting ballots voted by   mail. In conducting the study, the secretary of state must consider   other states' experiences using that method of signature   verification, as well as other studies published on the subject.          (b)  Not later than September 1, 2022, the secretary of state   shall prepare and deliver a report on the study's findings to the   committees of each house of the legislature with primary   jurisdiction over elections.          (c)  This section expires December 1, 2022.          SECTION 3.  Subchapter B, Chapter 421, Government Code, is   amended by adding Section 421.027 to read as follows:          Sec. 421.027.  CYBER INCIDENT STUDY AND RESPONSE PLAN. (a)   In this section:                (1)  "Cyber incident" means an event occurring on or   conducted through a computer network that actually or imminently   jeopardizes the integrity, confidentiality, or availability of   computers, information or communications systems or networks,   physical or virtual infrastructure controlled by computers or   information systems, or information on the computers or systems.   The term includes a vulnerability in implementation or in an   information system, system security procedure, or internal control   that could be exploited by a threat source.                (2)  "Significant cyber incident" means a cyber   incident, or a group of related cyber incidents, likely to result in   demonstrable harm to state security interests, foreign relations,   or the economy of this state or to the public confidence, civil   liberties, or public health and safety of the residents of this   state.          (b)  The council, in cooperation with the Department of   Information Resources, shall:                (1)  conduct a study regarding cyber incidents and   significant cyber incidents affecting state agencies and critical   infrastructure that is owned, operated, or controlled by agencies;   and                (2)  develop a comprehensive state response plan to   provide a format for each state agency to develop an   agency-specific response plan and to implement the plan into the   agency's information security plan required under Section 2054.133   to be implemented by the agency in the event of a cyber incident or   significant cyber incident affecting the agency or critical   infrastructure that is owned, operated, or controlled by the   agency.          (c)  Not later than September 1, 2022, the council shall   deliver the response plan and a report on the findings of the study   to:                (1)  the public safety director of the Department of   Public Safety;                (2)  the governor;                (3)  the lieutenant governor;                (4)  the speaker of the house of representatives;                (5)  the chair of the committee of the senate having   primary jurisdiction over homeland security matters; and                (6)  the chair of the committee of the house of   representatives having primary jurisdiction over homeland security   matters.          (d)  The response plan required by Subsection (b) and the   report required by Subsection (c) are not public information for   purposes of Chapter 552.          (e)  This section expires December 1, 2022.          SECTION 4.  Subchapter L, Chapter 441, Government Code, is   amended by adding Sections 441.1825 and 441.1856 to read as   follows:          Sec. 441.1825.  STATE INFORMATION GOVERNANCE COORDINATOR.     (a)  The director and librarian shall employ a state information   governance coordinator in the commission's records management   division.          (b)  The state information governance coordinator shall:                (1)  ensure records management programs are   implemented by state agencies for all media types;                (2)  assist state agencies in complying with the   agencies' records management programs; and                (3)  increase overall awareness and outreach for state   agency records management programs.          Sec. 441.1856.  TEXAS DIGITAL ARCHIVE. (a) The commission   shall maintain and operate a digital repository for the   preservation of and access to permanently valuable archival state   records, reports, and publications.          (b)  The commission, in collaboration with the Department of   Information Resources, shall develop a strategy, consistent with   state records management and archival practices, for state agencies   to transfer appropriate archival state records that are in   electronic format to the commission for inclusion in the digital   repository described by Subsection (a).          SECTION 5.  Section 441.183, Government Code, is amended to   read as follows:          Sec. 441.183.  RECORDS MANAGEMENT PROGRAMS IN STATE   AGENCIES. (a) The agency head of each state agency shall:                (1)  establish and maintain a records management   program on a continuing and active basis;                (2)  create and maintain records containing adequate   and proper documentation of the organization, functions, policies,   decisions, procedures, and essential transactions of the agency   designed to furnish information to protect the financial and legal   rights of the state and any person affected by the activities of the   agency;                (3)  make certain that all records of the agency are   passed to the agency head's successor in the position of agency   head;                (4)  identify and take adequate steps to protect   confidential and vital state records;                (5)  cooperate with the commission in the conduct of   state agency records management surveys; and                (6)  cooperate with the commission, the director and   librarian, and any other authorized designee of the director and   librarian in fulfilling their duties under this subchapter.          (b)  This subsection applies only to a state agency that is a   department, commission, board, office, or other agency in the   executive branch of state government. This subsection does not   apply to an institution of higher education, as defined by Section   61.003, Education Code. As part of a records management program   established under Subsection (a), the agency head of a state agency   to which this subsection applies shall require training for agency   employees, annually and on employment with the agency, regarding   the records management program, including the agency's approved   records retention schedule.          SECTION 6.  Subchapter C, Chapter 2054, Government Code, is   amended by adding Section 2054.0695 to read as follows:          Sec. 2054.0695.  SECURITY PROGRAM FOR INTERNET CONNECTIVITY   OF CERTAIN OBJECTS. (a) The department, in consultation with   representatives of the information technology industry and   voluntary standards organizations and the 10 state agencies that   received the most state appropriations for that state fiscal year   as determined by the Legislative Budget Board, shall develop a   comprehensive risk management program that identifies baseline   security features for the Internet connectivity of computing   devices embedded in objects used or purchased by state agencies.          (b)  In developing the program under Subsection (a), the   department shall identify and use existing international security   standards and best practices and any known security gaps for a range   of deployments, including critical systems and consumer usage.          SECTION 7.  Section 2054.512(d), Government Code, is amended   to read as follows:          (d)  The cybersecurity council shall:                (1)  consider the costs and benefits of establishing a   computer emergency readiness team to address cyber attacks   occurring in this state during routine and emergency situations;                (2)  establish criteria and priorities for addressing   cybersecurity threats to critical state installations;                (3)  consolidate and synthesize best practices to   assist state agencies in understanding and implementing   cybersecurity measures that are most beneficial to this state;   [and]                (4)  assess the knowledge, skills, and capabilities of   the existing information technology and cybersecurity workforce to   mitigate and respond to cyber threats and develop recommendations   for addressing immediate workforce deficiencies and ensuring a   long-term pool of qualified applicants; and                (5)  ensure all middle and high schools have knowledge   of and access to:                      (A)  free cybersecurity courses and curriculum   approved by the Texas Education Agency;                      (B)  state and regional information sharing and   analysis centers; and                      (C)  contracting benefits, including as provided   by Section 2054.0565.          SECTION 8.  Subchapter N-1, Chapter 2054, Government Code,   is amended by adding Sections 2054.517 and 2054.5172 to read as   follows:          Sec. 2054.517.  VENDOR RESPONSIBILITY FOR CYBERSECURITY. A   vendor that contracts with this state to provide information   resources technology for a state agency at a cost to the agency of   $1 million or more is responsible for addressing known   cybersecurity risks associated with the technology and is   responsible for any cost associated with addressing the identified   cybersecurity risks. For a major information resources project,   the vendor shall provide to state agency contracting personnel:                (1)  a written attestation that:                      (A)  the vendor has a cybersecurity risk   management program consistent with:                            (i)  the cybersecurity framework   established by the National Institute of Standards and Technology;                            (ii)  the 27000 series standards for   information security published by the International Organization   for Standardization; or                            (iii)  other widely accepted security risk   management frameworks;                      (B)  the vendor's cybersecurity risk management   program includes appropriate training and certifications for the   employees performing work under the contract; and                      (C)  the vendor has a vulnerability management   program that addresses vulnerability identification, mitigation,   and responsible disclosure, as appropriate; and                (2)  an initial summary of any costs associated with   addressing or remediating the identified technology or   personnel-related cybersecurity risks as identified in   collaboration with this state following a risk assessment.          Sec. 2054.5172.  ENCRYPTED SECURE LAYER SERVICES REQUIRED.   Each state agency that maintains a publicly accessible Internet   website that requires the submission of sensitive personally   identifiable information shall use an encrypted secure   communication protocol, including a secure hypertext transfer   protocol.          SECTION 9.  Subchapter B, Chapter 2155, Government Code, is   amended by adding Section 2155.092 to read as follows:          Sec. 2155.092.  VENDOR CERTIFICATION FOR CERTAIN GOODS. (a)   This section does not apply to a good provided as part of a major   information resources project as defined by Section 2054.003.          (b)  A vendor offering to sell to the state a good embedded   with a computing device capable of Internet connectivity must   include with each bid, offer, proposal, or other expression of   interest a written certification providing that the good does not   contain, at the time of submitting the bid, offer, proposal, or   expression of interest, a hardware, software, or firmware component   with any known security vulnerability or defect.          SECTION 10.  Section 205.010(b), Local Government Code, is   amended to read as follows:          (b)  A local government that owns, licenses, or maintains   computerized data that includes sensitive personal information   shall comply, in the event of a breach of system security, with the   notification requirements of:                (1)  Sections 364.0051 and 364.0102 of this code; and                (2)  Section 521.053, Business & Commerce Code, to the   same extent as a person who conducts business in this state.          SECTION 11.  Subtitle C, Title 11, Local Government Code, is   amended by adding Chapter 364 to read as follows:   CHAPTER 364. LOCAL GOVERNMENT CYBERSECURITY AND EMERGENCY PLANNING   AND RESPONSE   SUBCHAPTER A. GENERAL PROVISIONS          Sec. 364.0001.  DEFINITIONS. In this chapter:                (1)  "Breach of system security" has the meaning   assigned by Section 521.053, Business & Commerce Code.                (2)  "Cybersecurity coordinator" means the state   cybersecurity coordinator designated under Section 2054.511,   Government Code.                (3)  "Cybersecurity council" means the council   established by the cybersecurity coordinator under Section   2054.512, Government Code.                (4)  "Sensitive personal information" has the meaning   assigned by Section 521.002, Business & Commerce Code.   SUBCHAPTER B. SECURITY BREACH NOTIFICATION          Sec. 364.0051.  NOTICE TO CYBERSECURITY COORDINATOR. Not   later than 48 hours after a political subdivision discovers a   breach or suspected breach of system security or an unauthorized   exposure of sensitive personal information, the political   subdivision shall notify the cybersecurity coordinator of the   breach. The notification must describe the breach, suspected   breach, or unauthorized exposure.          Sec. 364.0052.  REPORT TO DEPARTMENT OF INFORMATION   RESOURCES. The cybersecurity coordinator shall report to the   Department of Information Resources any breach of system security   reported by a political subdivision in which the person responsible   for the breach:                (1)  obtained or modified specific critical or   sensitive personal information;                (2)  established access to the political subdivision's   information systems or infrastructure; or                (3)  undermined, severely disrupted, or destroyed a   core service, program, or function of the political subdivision, or   placed the person in a position to do so in the future.          Sec. 364.0053.  RULEMAKING. The cybersecurity coordinator   may adopt rules necessary to implement this subchapter.   SUBCHAPTER C. EMERGENCY PLANNING AND RESPONSE          Sec. 364.0101.  MULTIHAZARD EMERGENCY OPERATIONS PLAN;   SAFETY AND SECURITY AUDIT. (a) This section applies to a   municipality or county with a population of more than 100,000.          (b)  Each municipality and county shall adopt and implement a   multihazard emergency operations plan for use in the municipality's   and county's facilities. The plan must address mitigation,   preparedness, response, and recovery as determined by the   cybersecurity council and the governor's public safety office. The   plan must provide for:                (1)  municipal or county employee training in   responding to an emergency;                (2)  measures to ensure coordination with the   Department of State Health Services, Department of Information   Resources, local emergency management agencies, law enforcement   agencies, local health departments, and fire departments in the   event of an emergency; and                (3)  the implementation of a safety and security audit   as required by Subsection (c).          (c)  At least once every three years, each municipality and   county shall conduct a safety and security audit of the   municipality's or county's information technology infrastructure.   To the extent possible, a municipality or county shall follow   safety and security audit procedures developed by the cybersecurity   council or a comparable public or private entity.          (d)  A municipality or county shall report the results of the   safety and security audit conducted under Subsection (c):                (1)  to the municipality's or county's governing body;   and                (2)  in the manner required by the cybersecurity   council, to the cybersecurity council.          (e)  Except as provided by Subsection (f), any document or   information collected, developed, or produced during a safety and   security audit conducted under Subsection (c) is not subject to   disclosure under Chapter 552, Government Code.          (f)  A document relating to a municipality's or county's   multihazard emergency operations plan is subject to disclosure if   the document enables a person to:                (1)  verify that the municipality or county has   established a plan and determine the agencies involved in the   development of the plan and the agencies coordinating with the   municipality or county to respond to an emergency;                (2)  verify that the municipality's or county's plan   was reviewed within the last 12 months and determine the specific   review dates;                (3)  verify that the plan addresses the phases of   emergency management under Subsection (b);                (4)  verify that municipal or county employees have   been trained to respond to an emergency and determine the types of   training, the number of employees trained, and the person   conducting the training;                (5)  verify that the municipality or county has   completed a safety and security audit under Subsection (c) and   determine the date the audit was conducted, the person conducting   the audit, and the date the municipality or county presented the   results of the audit to the municipality's or county's governing   body; and                (6)  verify that the municipality or county has   addressed any recommendations by the municipality's or county's   governing body for improvement of the plan and determine the   municipality's or county's progress within the last 12 months.          Sec. 364.0102.  RANSOMWARE PAYMENTS PROHIBITED. (a) In   this section, "ransomware" has the meaning assigned by Section   33.023, Penal Code.          (b)  A political subdivision may not make a ransomware   payment related to a ransomware cyber attack.          (c)  As soon as practicable after discovering a ransomware   cyber attack, a political subdivision shall report the attack to   the office of the attorney general and to the information sharing   and analysis organization established by the Department of   Information Resources under Sec. 2054.0594, Government Code.          SECTION 12.  Section 2155.092, Government Code, as added by   this Act, applies only in relation to a contract for which a state   agency first advertises or otherwise solicits bids, offers,   proposals, or other expressions of interest on or after the   effective date of this Act.          SECTION 13.  (a) Except as provided by Subsection (b) of   this section, this Act takes effect September 1, 2021.          (b)  Section 364.0102, Local Government Code, as added by   this Act, takes effect September 1, 2022.