88R2648 JXC-D     By: Raymond H.B. No. 4892       A BILL TO BE ENTITLED   AN ACT   relating to physical security and cybersecurity practices for   certain utilities that provide electricity service and an   independent organization certified to manage a power region.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  The heading to Subchapter B, Chapter 31,   Utilities Code, is amended to read as follows:   SUBCHAPTER B. PHYSICAL SECURITY AND CYBERSECURITY          SECTION 2.  The heading to Section 31.052, Utilities Code,   is amended to read as follows:          Sec. 31.052.  PHYSICAL SECURITY AND CYBERSECURITY   COORDINATION PROGRAM FOR UTILITIES.          SECTION 3.  Section 31.052(a), Utilities Code, is amended to   read as follows:          (a)  The commission shall establish a program to monitor and   support physical security and cybersecurity efforts among   utilities in this state. The program shall:                (1)  provide guidance, technical assistance, and   training on best practices in physical security and cybersecurity   and facilitate the sharing of cybersecurity information between   utilities; [and]                (2)  provide guidance, technical assistance, and   training on best practices for physical security and cybersecurity   controls for supply chain risk management of cybersecurity systems   used by utilities, which may include, as applicable, best practices   related to:                      (A)  software integrity and authenticity;                      (B)  vendor risk management and procurement   controls, including notification by vendors of incidents related to   the vendor's products and services; and                      (C)  vendor remote access;                (3)  develop models, assessments, and auditing   procedures for a utility to self-assess physical security and   cybersecurity; and                (4)  provide opportunities for utilities to share with   each other best practices for and information on physical security   and cybersecurity.          SECTION 4.  Section 39.151(o), Utilities Code, is amended to   read as follows:          (o)  An independent organization certified by the commission   under this section shall:                (1)  conduct internal physical security and   cybersecurity risk assessment, vulnerability testing, and employee   training to the extent the independent organization is not   otherwise required to do so under applicable state and federal   physical security, cybersecurity, and information security laws;   and                (2)  submit a report annually to the commission on the   independent organization's compliance with applicable physical   security, cybersecurity, and information security laws.          SECTION 5.  This Act takes effect immediately if it receives   a vote of two-thirds of all the members elected to each house, as   provided by Section 39, Article III, Texas Constitution.  If this   Act does not receive the vote necessary for immediate effect, this   Act takes effect September 1, 2023.