89R14618 LRM-D     By: Bell of Kaufman H.B. No. 1500       A BILL TO BE ENTITLED   AN ACT   relating to the continuation and functions of the Department of   Information Resources, including the composition of the governing   body of the department.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  Subchapter C, Chapter 656, Government Code, is   amended by adding Sections 656.0505 and 656.0506 to read as   follows:          Sec. 656.0505.  VOLUNTARY CERTIFICATION COURSE ON   PROCUREMENT OF INFORMATION RESOURCES TECHNOLOGIES. (a) In this   section:                (1)  "Department" means the Department of Information   Resources.                (2)  "Information resources technologies" has the   meaning assigned by Section 2054.003.          (b)  In coordination with the comptroller, the department   shall develop and implement a certification course on the   procurement of information resources technologies and make the   course available to a person who:                (1)  holds a purchasing certification issued under   Section 656.051;                (2)  holds a contract management certification issued   under Section 656.052; or                (3)  holds both certifications described by   Subdivisions (1) and (2).          (c)  The department shall provide the course at least   quarterly and must provide the course in person.          (d)  The department shall certify a state agency employee who   successfully completes the course.          (e)  Successful completion of the course may be credited   toward any continuing education requirements for maintaining a   certification under Section 656.051 or 656.052, or both.          Sec. 656.0506.  TRAINING ON PURCHASES OF INFORMATION   RESOURCES TECHNOLOGIES FOR CERTAIN STATE AGENCY OFFICERS AND   EMPLOYEES. (a) In this section:                (1)  "Department" means the Department of Information   Resources.                (2)  "Information resources technologies" has the   meaning assigned by Section 2054.003.          (b)  The department shall develop and provide annual   training for persons who serve in upper management positions at   state agencies, including elected or appointed state officers and   executive heads of state agencies on best practices and   methodologies for purchasing information resources technologies.          (c)  The department shall include in the training provided   under Subsection (b) information the department covers in the   certification programs established by Sections 656.051 and 656.052   that is related to the purchase of information resources   technologies.  The department may include additional topics in the   training.          (d)  The department may not require a person described by   Subsection (b) to participate in the training.          SECTION 2.  Section 2054.003(13), Government Code, is   amended to read as follows:                (13)  "State agency" means, except as otherwise   provided by this chapter, a department, commission, board, office,   council, authority, or other agency in the executive or judicial   branch of state government that is created by the constitution or a   statute of this state, including a university system or institution   of higher education as defined by Section 61.003, Education Code.          SECTION 3.  Section 2054.005, Government Code, is amended to   read as follows:          Sec. 2054.005.  SUNSET PROVISION. [(a)] The Department of   Information Resources is subject to Chapter 325 (Texas Sunset Act).   Unless continued in existence as provided by that chapter, the   department is abolished [and this chapter expires] September 1,   2037 [2025].          SECTION 4.  Section 2054.021, Government Code, is amended by   amending Subsections (a), (c), (f), (g), and (h) and adding   Subsections (a-1), (c-1), (c-2), and (i) to read as follows:          (a)  For purposes of this section, "state agency" has the   meaning assigned by Section 2054.003 but does not include a   department, commission, board, office, council, authority, or   other agency in the judicial branch of state government.          (a-1)  The department is governed by a board composed of 11   members as follows:                (1)  seven voting members appointed by the governor   with the advice and consent of the senate; and                (2)  four nonvoting members as provided by Subsection   (c). [One member must be employed by an institution of higher   education as defined by Section 61.003, Education Code.]          (c)  The governor shall appoint the four nonvoting members of   the board as follows:                (1)  one member who is an employee of an institution of   higher education, as defined by Section 61.003, Education Code;                (2)  two members who are employees of state agencies   that are on the list provided under Subsection (c-1); and                (3)  one member who is an employee of a state agency   with fewer than 500 full-time employees.          (c-1)  Not later than December 1 of each even-numbered year,   the department shall provide the governor a list of the 10 state   agencies that spent the most money on products and services of the   department during the previous state fiscal year.          (c-2)  A nonvoting member of the board serves for a two-year   term that expires February 1 of each odd-numbered year. [Two groups   each composed of three ex officio members serve on the board on a   rotating basis. The ex officio members serve as nonvoting members   of the board. Only one group serves at a time. The first group is   composed of the commissioner of insurance, the executive   commissioner of the Health and Human Services Commission, and the   executive director of the Texas Department of Transportation.   Members of the first group serve for two-year terms that begin   February 1 of every other odd-numbered year and that expire on   February 1 of the next odd-numbered year. The second group is   composed of the commissioner of education, the executive director   of the Texas Department of Criminal Justice, and the executive   director of the Parks and Wildlife Department. Members of the   second group serve for two-year terms that begin February 1 of the   odd-numbered years in which the terms of members of the first group   expire and that expire on February 1 of the next odd-numbered year.]          (f)  A [To be eligible to take office or serve as a voting or   nonvoting member of the board, a] person who is appointed to and   qualifies for office as a member of the board may not vote,   deliberate, or be counted as a member in attendance at a meeting of   the board until the person:                (1)  completes [appointed to or scheduled to serve as   an ex officio member of the board must complete at least one course   of] a training program that complies with Subsection (g); and                (2)  signs and submits to the executive director a   statement acknowledging that the member completed the training   program and the training required under Section 656.053 [this   section]. [A voting or nonvoting board member must complete a   training program that complies with Subsection (g) not later than   the 180th day after the date on which the person takes office or   begins serving as a member of the board.]          (g)  The training program must provide the person with    information [to the person] regarding:                (1)  the law governing department operations [this   chapter] and the board to which the person is appointed to serve;                (2)  the programs, functions, rules, and budget of   [operated by] the department;                (3)  the scope of and limitations on the rulemaking   authority of the department [the role and functions of the   department];                (4)  the results of the most recent formal audit of the   department [rules of the department, with an emphasis on the rules   that relate to disciplinary and investigatory authority];                (5)  the requirements of:                      (A)  laws relating to open meetings, public   information, administrative procedure, and disclosing conflicts of   interest; and                      (B)  other laws applicable to members of a state   policy-making body in performing their duties [current budget for   the department];                (6)  [the results of the most recent formal audit of the   department;                [(7) the requirements of the:                      [(A)  open meetings law, Chapter 551;                      [(B)  open records law, Chapter 552; and                      [(C)  administrative procedure law, Chapter 2001;                [(8)  the requirements of the conflict of interest laws   and other laws relating to public officials;                [(9)]  any applicable ethics policies adopted by the   department or the Texas Ethics Commission; and                (7) [(10)]  contract management training.          (h)  A person appointed to the board is entitled to   reimbursement, as provided by the General Appropriations Act, for   travel expenses incurred in attending the training program,   regardless of whether the attendance at the program occurs before   or after the person qualifies for office [as provided by the General   Appropriations Act and as if the person were a member of the board].          (i)  The executive director shall create a training manual   that includes the information required by Subsection (g). The   executive director shall distribute a copy of the training manual   annually to each member of the board. Each member of the board   shall sign and submit to the executive director a statement   acknowledging that the member received and has reviewed the   training manual.          SECTION 5.  Section 2054.024(c), Government Code, is amended   to read as follows:          (c)  If the final result of an action brought in a court of   competent jurisdiction is that a board [an ex officio or other]   member [of the board] may not serve on the board under the Texas   Constitution, the [appropriate individual shall promptly submit a   list to the] governor shall appoint [for the appointment of] a   replacement who may serve.          SECTION 6.  The heading to Section 2054.033, Government   Code, is amended to read as follows:          Sec. 2054.033.  ESTABLISHMENT OF ADVISORY COMMITTEES;   ADMINISTRATION AND REQUIREMENTS.          SECTION 7.  Section 2054.033, Government Code, is amended by   amending Subsection (a) and adding Subsections (e), (f), and (g) to   read as follows:          (a)  The board and the executive director, if authorized by   the board, by rule may establish [appoint] advisory committees as   the department considers necessary to provide expertise to the   department.          (e)  With respect to an advisory committee whose   jurisdiction covers a service provided by the department to state   agencies, in appointing members to the advisory committee the board   shall:                (1)  to the extent practicable, ensure that the   advisory committee is composed of a cross-section of the   department's customers who use the service; and                (2)  appoint, in addition to the member required by   Subsection (d), at least one member who is an employee of a state   agency with 500 or fewer full-time employees.          (f)  The board shall adopt rules to govern each advisory   committee of the department. The rules must include:                (1)  the purpose, role, goals, composition, and   duration of the advisory committee;                (2)  as to the advisory committee members:                      (A)  the appointment procedures, terms, and   quorum requirements;                      (B)  conflict-of-interest policies; and                      (C)  as advisable, member qualifications or   training requirements;                (3)  as appropriate, a method the department must use   to receive public input on issues considered by the advisory   committee; and                (4)  as appropriate, a method for sharing findings and   information of the advisory committee with the public and the   board.          (g)  Except as otherwise provided by this chapter, an   advisory committee of the department is subject to Chapter 2110.          SECTION 8.  Subchapter B, Chapter 2054, Government Code, is   amended by adding Sections 2054.0333, 2054.0335, and 2054.0337 to   read as follows:          Sec. 2054.0333.  ADVISORY COMMITTEES ON DEPARTMENT   FUNCTIONS REQUIRED. The board by rule shall establish advisory   committees under Section 2054.033 that advise the board on   governing the department and cover in subject matter the   department's primary functions, including at least one advisory   committee for each of the following subjects:                (1)  procurement under Subchapter B, Chapter 2157;                (2)  the development and implementation of information   security programs; and                 (3)  the preparation of the state strategic plan   required by Section 2054.091.          Sec. 2054.0335.  STATEWIDE INFORMATION SECURITY ADVISORY   COMMITTEE. (a) The board by rule shall establish an advisory   committee under Section 2054.033 to make recommendations to the   department on improving the effectiveness of the department's and   this state's information security operations.          (b)  The advisory committee must include members who are   information security professionals employed by state agencies and   local governments.          (c)  The presiding officer of the advisory committee is the   chief information security officer under Section 2054.510.          Sec. 2054.0337.  CUSTOMER ADVISORY COMMITTEE. (a) The   board by rule shall establish an advisory committee under Section   2054.033 to report to and advise the board on improving the   effectiveness and efficiency of services provided by the department   to customers.          (b)  The board shall appoint advisory committee members who   are employees of state agencies that:                (1)  use the department's services; and                (2)  have 500 or fewer full-time employees, including   at least three members who are employees of state agencies that have   150 or fewer full-time employees.          SECTION 9.  Section 2054.035(b), Government Code, is amended   to read as follows:          (b)  The department shall prepare information of public   interest describing the functions of the department [and the   procedures by which complaints are filed with and resolved by the   department]. The department shall make the information available   to the public and appropriate state agencies.          SECTION 10.  Section 2054.036, Government Code, is amended   to read as follows:          Sec. 2054.036.  COMPLAINTS. (a) The department shall   maintain a system to promptly and efficiently act on complaints   filed with the department. The department shall maintain   information about parties to the complaint, the subject matter of   the complaint, and a summary of the results of the review or   investigation of the complaint, and its disposition. [keep a file   about each written complaint filed with the department that the   department has authority to resolve. The department shall provide   to the person filing the complaint and the persons or entities   complained about the department's policies and procedures   pertaining to complaint investigation and resolution. The   department, at least quarterly and until final disposition of the   complaint, shall notify the person filing the complaint and the   persons or entities complained about of the status of the complaint   unless the notice would jeopardize an undercover investigation.]          (b)  The department shall make information available   describing its procedures for complaint investigation and   resolution [keep information about each complaint filed with the   department]. [The information shall include:                [(1)  the date the complaint is received;                [(2)  the name of the complainant;                [(3)  the subject matter of the complaint;                [(4)  a record of all persons contacted in relation to   the complaint;                [(5)  a summary of the results of the review or   investigation of the complaint; and                [(6)  for complaints for which the department took no   action, an explanation of the reason the complaint was closed   without action.]          (c)  The department shall periodically notify the complaint   parties of the status of the complaint until final disposition   unless the notice would jeopardize an ongoing investigation.          SECTION 11.  Sections 2054.055(b) and (b-2), Government   Code, are amended to read as follows:          (b)  The report must:                (1)  assess the progress made toward meeting the goals   and objectives of the state strategic plan for information   resources management;                (2)  describe major accomplishments of the state or a   specific state agency in information resources management;                (3)  describe major problems in information resources   management confronting the state or a specific state agency;                (4)  provide a summary of the total expenditures for   information resources and information resources technologies by   the state;                (5)  make recommendations for improving the   effectiveness and cost-efficiency of the state's use of information   resources;                (6)  describe the status, progress, benefits, and   efficiency gains of the state electronic Internet portal project,   including any significant issues regarding contract performance;                (7)  provide a financial summary of the state   electronic Internet portal project, including project costs and   revenues;                (8)  [provide a summary of the amount and use of   Internet-based training conducted by each state agency and   institution of higher education;                [(9)]  provide a summary of agency and statewide   results in providing access to electronic and information resources   to individuals with disabilities as required by Subchapter M;                (9) [(10)]  assess the progress made toward   accomplishing the goals of the plan for a state telecommunications   network and developing a system of telecommunications services as   provided by Subchapter H; and                (10) [(11)]  identify proposed major information   resources projects for the next state fiscal biennium, including   project costs through stages of the project and across state fiscal   years from project initiation to implementation.          (b-2)  The information required under Subsection (b)(10)   [(b)(11)] must include:                (1)  final total cost of ownership budget data for the   entire life cycle of the major information resources project,   including capital and operational costs that itemize staffing   costs, contracted services, hardware purchased or leased, software   purchased or leased, travel, and training;                (2)  the original project schedule and the final actual   project schedule;                (3)  data on the progress toward meeting the original   goals and performance measures of the project, specifically those   related to operating budget savings;                (4)  lessons learned on the project, performance   evaluations of any vendors used in the project, and reasons for   project delays or cost increases; and                (5)  the benefits, cost avoidance, and cost savings   generated by major technology resources projects.          SECTION 12.  Subchapter C, Chapter 2054, Government Code, is   amended by adding Section 2054.057 to read as follows:          Sec. 2054.057.  PROCUREMENT SERVICES PILOT PROGRAM. (a) In   this section:                (1)  "Participating state agency" means a state agency   that the department has approved to participate in the pilot   program.                (2)  "Pilot program" means the procurement services   pilot program established under this section.                (3)  "State agency" means a board, commission, office,   department, or other agency in the executive, judicial, or   legislative branch of state government. The term does not include   an institution of higher education, as defined by Section 61.003,   Education Code.          (b)  The department shall establish a pilot program under   which the department provides assistance in the procurement of   information resources technologies on request by a participating   state agency.          (c)  A state agency may participate in the pilot program only   if the department approves of the participation in writing.          (d)  The department may limit the:                (1)  number of participating state agencies in the   pilot program; and                (2)  types of information resources technologies for   which procurement assistance is provided under the pilot program.          (e)  Services under the pilot program may include assistance   with:                (1)  procurement planning;                (2)  developing a cost estimate for an information   resources technologies project; and                (3)  drafting and developing a solicitation.          (f)  With respect to any procurement assistance provided by   the department under the pilot program, the department:                (1)  may not control the procurement for which the   assistance is provided or the management of any resulting contract;   and                (2)  is not civilly liable for damages resulting from   the provision of procurement assistance unless the damages result   from intentional conduct or gross negligence.          (g)  Not later than December 1, 2028, the department shall   submit a report to the legislature that includes a summary of the   pilot program's activities and a recommendation of whether to   continue or expand the program.          (h)  This section expires January 1, 2029.          SECTION 13.  Section 2054.075(b), Government Code, is   amended to read as follows:          (b)  Each state agency information resources manager is part   of the agency's executive management and reports directly to the   executive head or deputy executive head of the agency. Each state   agency shall report to the department the extent and results of its   compliance with this subsection and include with the report an   organizational chart showing the structure of the personnel in the   agency's executive management. [The department shall report the   extent and results of state agencies' compliance with this   subsection to the legislature.]          SECTION 14.  Section 2054.097, Government Code, is amended   by adding Subsections (c), (d), and (e) to read as follows:          (c)  Once every two years, the department shall conduct a   limited evaluation of the information resources deployment review   of at least five state agencies to verify the accuracy of those   reviews. The department may limit the evaluation to review   responses on subjects that represent the highest risks or greatest   opportunities for improvement regarding the state agency's   software, hardware, compliance, and cybersecurity.           (d)  The department is not required to conduct site visits as   part of the limited evaluation required by Subsection (c).          (e)  The department shall use information received from the   limited evaluation required by Subsection (c) to:                (1)  update trainings for and outreach to information   resources managers on accurately completing the information   resources deployment review; and                (2)  recommend information resources technology   solutions to state agencies as needed.          SECTION 15.  Section 2054.2606(c), Government Code, is   amended to read as follows:          (c)  A licensing entity that establishes a profile system   under this section shall determine the information to be included   in the system and the manner for collecting and reporting the   information. At a minimum, the entity shall include the following   information in the profile system:                (1)  the name of the license holder and the address and   telephone number of the license holder's primary practice location;                (2)  whether the license holder's patient, client,   user, customer, or consumer service areas, as applicable, are   accessible to [disabled] persons with disabilities, as defined by   federal law;                (3)  the type of language translating services,   including translating services for a person who is deaf or hard   [with impairment] of hearing, that the license holder provides for   patients, clients, users, customers, or consumers, as applicable;                (4)  if applicable, insurance information, including   whether the license holder participates in the state child health   plan under Chapter 62, Health and Safety Code, or the Medicaid   program;                (5)  the education and training received by the license   holder, as required by the licensing entity;                (6)  any specialty certification held by the license   holder;                (7)  the number of years the person has practiced as a   license holder; and                (8)  if applicable, any hospital affiliation of the   license holder.          SECTION 16.  Section 2054.456(a), Government Code, is   amended to read as follows:          (a)  Each state agency shall, in developing, procuring,   maintaining, or using electronic and information resources, ensure   that state employees with disabilities have access to and the use of   those resources comparable to the access and use available to state   employees without disabilities, unless compliance with this   section imposes a significant difficulty or expense on the agency   under Section 2054.460. Subject to Section 2054.460, the agency   shall take reasonable steps to ensure that an [a disabled] employee   with a disability has reasonable access to perform the employee's   duties.          SECTION 17.  The heading to Section 2054.515, Government   Code, is amended to read as follows:          Sec. 2054.515.  AGENCY DATA GOVERNANCE [INFORMATION   SECURITY] ASSESSMENT AND REPORT.          SECTION 18.  Section 2054.515, Government Code, is amended   by amending Subsections (a), (c), and (d) and adding Subsection   (a-1) to read as follows:          (a)  At least once every two years, each state agency shall   conduct an [information security] assessment of the agency's[:                [(1)  information resources systems, network systems,   digital data storage systems, digital data security measures, and   information resources vulnerabilities; and                [(2)]  data governance program with participation from   the agency's data management officer, if applicable, and in   accordance with requirements established by department rule.          (a-1)  Not later than June 1 of each even-numbered year, each   state agency shall report the results of the assessment conducted   under Subsection (a) to:                (1)  the department; and                (2)  on request, the governor, the lieutenant governor,   and the speaker of the house of representatives.          (c)  The department by rule shall establish the requirements   for the [information security] assessment and report required by   this section.          (d)  The report and all documentation related to the   [information security] assessment and report are confidential and   not subject to disclosure under Chapter 552. The state agency or   department may redact or withhold the information as confidential   under Chapter 552 without requesting a decision from the attorney   general under Subchapter G, Chapter 552.          SECTION 19.  Sections 2054.5191(a), (a-1), and (a-2),   Government Code, are amended to read as follows:          (a)  At least once each year, each employee of a [Each] state   agency [shall identify state employees who use a computer to   complete at least 25 percent of the employee's required duties. At   least once each year, an employee identified by the state agency]   and each elected or appointed officer of the agency shall complete a   cybersecurity training program certified under Section 2054.519.          (a-1)  At least once each year, each employee and each   elected or appointed official of a local government shall[:                [(1)  identify local government employees and elected   and appointed officials who have access to a local government   computer system or database and use a computer to perform at least   25 percent of the employee's or official's required duties; and                [(2)  require the employees and officials identified   under Subdivision (1) to] complete a cybersecurity training program   certified under Section 2054.519.          (a-2)  The governing body of a local government or the   governing body's designee may deny access to the local government's   computer system or database to an employee or official of the local   government [an individual described by Subsection (a-1)(1)] who the   governing body or the governing body's designee determines is   noncompliant with the requirements of Subsection (a-1) [(a-1)(2)].          SECTION 20.  Subchapter N-1, Chapter 2054, Government Code,   is amended by adding Section 2054.5195 to read as follows:          Sec. 2054.5195.  INFORMATION SECURITY ASSESSMENT AND   PENETRATION TEST REQUIRED. (a)  This section does not apply to a   university system or institution of higher education as defined by   Section 61.003, Education Code.          (b)  At least once every two years, the department shall   require each state agency to complete an information security   assessment and a penetration test to be performed by the department   or, at the department's discretion, a vendor selected by the   department.          (c)  The department shall establish rules as necessary to   implement this section, including rules for the procurement of a   vendor under Subsection (b).          SECTION 21.  The following provisions of the Government Code   are repealed:                (1)  Section 2054.021(d);                (2)  Section 2054.023(c);                (3)  Section 2054.0331;                (4)  Section 2054.091(d);                (5)  Section 2054.0925(c);                (6)  Section 2054.515(b), as amended by Chapter 567   (S.B. 475), Acts of the 87th Legislature, Regular Session, 2021;   and                (7)  Section 2054.515(b), as amended by Chapter 856   (S.B. 800), Acts of the 87th Legislature, Regular Session, 2021.          SECTION 22.  (a) In this section, "institution of higher   education" has the meaning assigned by Section 61.003, Education   Code.          (b)  As soon as possible after the effective date of this   Act, as the terms of members of the governing board of the   Department of Information Resources expire or as vacancies occur,   the governor shall appoint members to the board so that the board is   composed in accordance with Section 2054.021, Government Code, as   amended by this Act, except that the term of the member of the board   serving on the board immediately before the effective date of this   Act who holds the position of the member who is employed by an   institution of higher education expires on that date. A member of   the governing board whose term expires under this subsection is   eligible for reappointment under Subsection (c) of this section.          (c)  Not later than December 1, 2025, the governor shall   appoint the following members to the governing board of the   Department of Information Resources in accordance with Section   2054.021, Government Code, as amended by this Act:                (1)  one voting member to serve a term that expires   February 1, 2031; and                (2)  one nonvoting member to the position of the member   who is employed by an institution of higher education to serve a   term that expires February 1, 2027.          SECTION 23.  (a) Except as provided by Subsection (b) of   this section, Section 2054.021(f), Government Code, as amended by   this Act, applies to a member of the governing board of the   Department of Information Resources appointed before, on, or after   the effective date of this Act.          (b)  A member of the governing board of the Department of   Information Resources who, before the effective date of this Act,   completed the training program required by Section 2054.021(f),   Government Code, and described in Section 2054.021(g), Government   Code, as that law existed before the effective date of this Act, is   only required to complete additional training on the subjects added   by this Act to the training program described by Section   2054.021(g), Government Code. A member described by this   subsection may not vote, deliberate, or be counted as a member in   attendance at a meeting of the board held on or after December 1,   2025, until the member completes the additional training.          SECTION 24.  This Act takes effect September 1, 2025.