By: Capriglione H.B. No. 1467       A BILL TO BE ENTITLED   AN ACT   relating to reports on and purchase of information technology by   state agencies.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  Section 552.139(b), Government Code, is amended   by adding subsection (4) to read as follows:          (b)  The following information is confidential:                (1)  a computer network vulnerability report;                (2)  any other assessment of the extent to which data   processing operations, a computer, a computer program, network,   system, or system interface, or software of a governmental body or   of a contractor of a governmental body is vulnerable to   unauthorized access or harm, including an assessment of the extent   to which the governmental body's or contractor's electronically   stored information containing sensitive or critical information is   vulnerable to alteration, damage, erasure, or inappropriate use;   and                (3)  a photocopy or other copy of an identification   badge issued to an official or employee of a governmental body.                (4)  information collected, assembled, or maintained   by or for a governmental entity to prevent, detect, or investigate   security incidents.          SECTION 2.  Subchapter C, Chapter 2054, Government Code, is   amended by adding Section 2054.068 to read as follows:          Sec. 2054.068.  INFORMATION TECHNOLOGY INFRASTRUCTURE   REPORT.  (a)  In this section, "information technology" includes   information resources and information resources technologies.          (b)  The department shall collect from each state agency   information on the status and condition of the agency's information   technology infrastructure, including information regarding:                (1)  the agency's information security program;                (2)  an inventory of the agency's servers, mainframes,   and other information technology equipment;                (3)  identification of vendors that operate and manage   the agency's information technology infrastructure; and                (4)  any additional related information requested by   the department.          (c)  A state agency shall provide the information required by   Subsection (b) to the department according to a schedule determined   by the department.          (d)  Not later than August 31 of each even-numbered year, the   department shall submit to the governor, chair of the house   appropriations committee, chair of the senate finance committee,   speaker of the house of representatives, lieutenant governor, and   staff of the Legislative Budget Board a consolidated report of the   information submitted by state agencies under Subsection (b).          (e)  The consolidated report required by Subsection (d)   must:                (1)  include an analysis and assessment of each state   agency's security and operational risks; and                (2)  for a state agency found to be at higher security   and operational risks, include a detailed analysis of the   requirements for the agency to address the risks and related   vulnerabilities and the cost estimates to implement those   requirements.          (f)  With the exception of information that is confidential   under Chapter 552, including Section 552.139, or other state or   federal law, the consolidated report submitted under Subsection (d)   is public information and must be released or made available to the   public upon request.  A governmental body as defined by Section   552.003, Government Code, may withhold information confidential   under Chapter 552, including Section 552.139, or other state or   federal law that is contained in a consolidated report released   under this section without the necessity of requesting a decision   from the attorney general under Subchapter G, Chapter 552,   Government Code.          (g)  This section does not apply to an institution of higher   education or university system, as defined by Section 61.003,   Education Code.          SECTION 3.  Section 2054.0965(a), Government Code, is   amended to read as follows:          (a)  Not later than March 31 [December 1] of each   even-numbered [odd-numbered] year, a state agency shall complete a   review of the operational aspects of the agency's information   resources deployment following instructions developed by the   department.          SECTION 4.  Section 2157.007, Government Code, is amended by   amending Subsection (b) and adding Subsection (e) to read as   follows:          (b)  A state agency shall [may] consider cloud computing   service options, including any cost savings associated with   purchasing those service options from a commercial cloud computing   service provider and a statewide technology center established by   the department, when making purchases for a major information   resources project under Section 2054.118.          (e)  Not later than August 1 of each even-numbered year, the   department, using existing resources, shall submit a report to the   governor, lieutenant governor, and speaker of the house of   representatives on the use of cloud computing service options by   state agencies.  The report must include use cases that provided   cost savings and other benefits, including security enhancements.   A state agency shall cooperate with the department in the creation   of the report by providing timely and accurate information and any   assistance required by the department.          SECTION 5.  This Act takes effect September 1, 2017.