By: Harris of Williamson H.B. No. 4023 A BILL TO BE ENTITLED AN ACT relating to security procedures for digital applications that pose a network security risk to state agencies. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Chapter 2054, Government Code, is amended by adding Subchapter S to read as follows: SUBCHAPTER S. DIGITAL APPLICATION SECURITY PROCEDURES Sec. 2054.621. DEFINITIONS. In this subchapter: (1) "Digital application" means an Internet website or application that is open to the public, allows a user to create an account, and enables a user to communicate with other users by posting information, comments, messages, images, or video. The term does not include: (A) an Internet service provider, as defined by Section 324.055, Business & Commerce Code; (B) e-mail; or (C) an online service, application, or Internet website: (i) that consists primarily of news, sports, entertainment, or other content preselected by the provider that is not user generated; and (ii) for which any chat, comment, or interactive functionality is incidental to, directly related to, or dependent on provision of the content described by Subparagraph (i). (2) "Network security" has the meaning assigned by Section 2059.001. (3) "User" means a person who posts, uploads, transmits, shares, or otherwise publishes or receives content through a digital application. Sec. 2054.622. DIGITAL APPLICATION SECURITY RISK LIST. The department shall: (1) compile, maintain, and annually update a list of digital applications that create a network security risk to state agencies; (2) limit or prohibit the placement and use of digital applications on the list under Subdivision (1) on: (A) state-owned cell phones, computers, and other communication devices; and (B) personal communication devices of state agency employees that are used in the agency's office or other workplace; and (3) post the list under Subdivision (1) on a publicly accessible web page on the department's Internet website. Sec. 2054.623. DIGITAL APPLICATION SECURITY MODEL POLICY FOR STATE AGENCIES. The department shall develop, maintain, and periodically update a model policy for state agencies to use under Section 2054.624 in limiting or prohibiting the placement and use on communication devices of the digital applications included on the list compiled under Section 2054.622. Sec. 2054.624. STATE AGENCY DIGITAL APPLICATION SECURITY POLICY. (a) Each state agency shall develop, implement, and periodically update a policy limiting or prohibiting the placement and use of digital applications included on the list compiled under Section 2054.622 on: (1) state-owned cell phones, computers, and other communication devices; and (2) personal communication devices of state agency employees that are used in the agency's office or other workplace. (b) Each state agency shall submit to the department a copy of the policy required under Subsection (a) and updates to the policy. (c) The department: (1) may offer recommendations for improvements to submitted policies; (2) shall retain each copy and update submitted under Subsection (b); and (3) shall notify each member of the legislature and the governor when a state agency submits a policy or update. Sec. 2054.625. DISCLOSURE EXEMPTION. The model policy and state agency policies developed under this subchapter are exempt from disclosure under Chapter 552. Sec. 2054.626. RULEMAKING AUTHORITY. The department may adopt rules to implement this subchapter. SECTION 2. (a) As soon as practicable after the effective date of this Act, but not later than January 1, 2024, the Department of Information Resources shall develop the digital application security risk list and model policy as required by Subchapter S, Chapter 2054, Government Code, as added by this Act. (b) A state agency is not required to comply with Section 2054.624, Government Code, as added by this Act, until May 1, 2024. SECTION 3. This Act takes effect September 1, 2023.