HB 150

relating to the establishment of the Texas Cyber Command as a
component institution of The University of Texas System and the
transfer to it of certain powers and duties of the Department of
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1.  Subtitle B, Title 10, Government Code, is
amended by adding Chapter 2063 to read as follows:
CHAPTER 2063.  TEXAS CYBER COMMAND
SUBCHAPTER A.  GENERAL PROVISIONS
Sec. 2063.001.  DEFINITIONS.  In this chapter:
(1)  "Chief" means the chief of the Texas Cyber
(2)  "Command" means the Texas Cyber Command
established under this chapter.
(3)  "Covered entity" means a private entity operating
critical infrastructure or a local government that the command
contracts with in order to provide cybersecurity services under
(4)  "Critical infrastructure" means infrastructure in
this state vital to the security, governance, public health and
safety, economy, or morale of the state or the nation, including:
(G)  emergency services systems;
(I)  financial services systems;
(J)  food and agriculture facilities;
(L)  health care and public health facilities;
(M)  information technology and information
(N)  nuclear reactors, materials, and waste;
(O)  transportation systems; or
(P)  water and wastewater systems.
(5)  "Cybersecurity" means the measures taken to
protect a computer, computer network, computer system, or other
technology infrastructure against unauthorized:
(A)  use, access, disruption, modification, or
(B)  disclosure, modification, or destruction of
(6)  "Cybersecurity incident" includes:
(A)  a breach or suspected breach of system
security as defined by Section 521.053, Business & Commerce Code;
(B)  the introduction of ransomware, as defined by
Section 33.023, Penal Code, into a computer, computer network, or
(C)  any other cybersecurity-related occurrence
that jeopardizes information or an information system designated by
command policy adopted under this chapter.
(7)  "Department" means the Department of Information
(8)  "Governmental entity" means this state, a state
(9)  "Information resources" has the meaning assigned
by Section 2054.003, Government Code.
(10)  "Information resources technologies" has the
meaning assigned by Section 2054.003.
(11)  "Local government" has the meaning assigned by
(12)  "Sensitive personal information" has the meaning
assigned by Section 521.002, Business & Commerce Code.
(A)  a department, commission, board, office, or
other agency that is in the executive or legislative branch of state
government and that was created by the constitution or a statute;
(B)  the supreme court, the court of criminal
appeals, a court of appeals, a district court, or the Texas Judicial
Council or another agency in the judicial branch of state
(C)  a university system or an institution of
higher education as defined by Section 61.003, Education Code.
Sec. 2063.002.  ORGANIZATION.  (a)  The Texas Cyber Command
is a component of The University of Texas System and
administratively attached to The University of Texas at San
(b)  The command is managed by a chief appointed by the
governor and confirmed with the advice and consent of the senate.
The chief serves at the pleasure of the governor and must possess
professional training and knowledge relevant to the functions and
(c)  The command shall employ other coordinating and
planning officers and other personnel necessary to the performance
(d)  Under an agreement with the command, The University of
Texas at San Antonio shall provide administrative support services
for the command as necessary to carry out the purposes of this
Sec. 2063.003.  ESTABLISHMENT AND PURPOSE.  (a)  The command
is established to prevent and respond to cybersecurity incidents
that affect governmental entities and critical infrastructure in
(b)  The command is responsible for cybersecurity for this
(1)  developing tools to enhance cybersecurity
(2)  facilitating education and training of a
(3)  in collaboration with the department,
establishing appropriate cybersecurity standards; and
(4)  creating partnerships needed to effectively carry
Sec. 2063.004.  GENERAL POWERS AND DUTIES.  (a)  The command
(1)  promote public awareness of cybersecurity issues;
(2)  develop cybersecurity best practices and minimum
standards for governmental entities;
(3)  develop and provide training to state agencies and
covered entities on cybersecurity measures and awareness;
(4)  administer the cybersecurity threat intelligence
(5)  provide support to state agencies and covered
entities experiencing a cybersecurity incident;
(6)  administer the digital forensics laboratory under
(7)  administer a statewide portal for enterprise
cybersecurity threat, risk, and incident management, and operate a
cybersecurity hotline available for state agencies and covered
entities 24 hours a day, seven days a week;
(8)  collaborate with law enforcement agencies to
provide training and support related to cybersecurity incidents;
(9)  serve as a clearinghouse for information relating
to all aspects of protecting the cybersecurity of governmental
entities, including sharing appropriate intelligence and
information with governmental entities, federal agencies, and
(10)  collaborate with the department to ensure
information resources and information resources technologies
obtained by the department meet the cybersecurity standards and
requirements established under this chapter;
(11)  offer cybersecurity resources to state agencies
and covered entities as determined by the command; and
(12)  adopt policies to ensure state agencies implement
sufficient cybersecurity measures to defend information resources,
information resources technologies, and sensitive personal
information maintained by the agencies.
(1)  adopt and enforce policies necessary to carry out
(2)  adopt and use an official seal;
(3)  establish ad hoc advisory committees as necessary
to carry out the command's duties under this chapter;
(4)  acquire and convey property or an interest in
(5)  procure insurance and pay premiums on insurance of
any type, in accounts, and from insurers as the command considers
necessary and advisable to accomplish any of the command's duties;
(6)  hold patents, copyrights, trademarks, or other
evidence of protection or exclusivity issued under the laws of the
United States, any state, or any nation and may enter into license
agreements with any third parties for the receipt of fees,
royalties, or other monetary or nonmonetary value.
(c)  Except as otherwise provided by this chapter, the
command shall deposit money paid to the command under this chapter
in the state treasury to the credit of the general revenue fund.
Sec. 2063.005.  COST RECOVERY.  The command shall recover
the cost of providing direct technical assistance, training
services, and other services to covered entities when reasonable
Sec. 2063.007.  EMERGENCY PURCHASING.  In the event the
emergency response to a cybersecurity incident requires the command
to purchase an item, the command is exempt from the requirements of
Sections 2155.0755, 2155.083, and 2155.132(c) in making the
Sec. 2063.008.  RULES.  The governor may adopt rules
necessary for carrying out the purposes of this chapter.
Sec. 2063.009.  APPLICATION OF SUNSET ACT.  The command is
subject to Chapter 325 (Texas Sunset Act).  Unless continued in
existence as provided by that chapter, the command is abolished
SUBCHAPTER B.  MINIMUM STANDARDS AND TRAINING
Sec. 2063.101.  BEST PRACTICES AND MINIMUM STANDARDS FOR
CYBERSECURITY AND TRAINING.  (a)  The command shall develop and
annually assess best practices and minimum standards for use by
governmental entities to enhance the security of information
(b)  The command shall establish and periodically assess
mandatory cybersecurity training that must be completed by all
information resources employees of state agencies.  The command
shall consult with the Information Technology Council for Higher
Education established under Section 2054.121 regarding applying
the training requirements to employees of institutions of higher
(c)  The command shall adopt policies to ensure governmental
entities are complying with the requirements of this section.
SUBCHAPTER C.  CYBERSECURITY PREVENTION, RESPONSE, AND RECOVERY
Sec. 2063.201.  CYBERSECURITY THREAT INTELLIGENCE CENTER.
(a)  In this section, "center" means the cybersecurity threat
intelligence center established under this section.
(b)  The command shall establish a cybersecurity threat
intelligence center.  The center, in coordination with the
(1)  operate the information sharing and analysis
organization established under Section 2063.204; and
(2)  use regional security operations centers
established under Subchapter G and the cybersecurity incident
response unit under Section 2063.202 to assist governmental
entities in responding to a cybersecurity incident.
(c)  The chief may employ a director for the center.
Sec. 2063.202.  CYBERSECURITY INCIDENT RESPONSE UNIT.  (a)
The command shall establish a dedicated cybersecurity incident
(1)  detect and contain cybersecurity incidents in
collaboration with the cybersecurity threat intelligence center
(2)  engage in threat neutralization, including
removing malware, disallowing unauthorized access, and patching
vulnerabilities in information resources technologies;
(3)  in collaboration with the digital forensics
laboratory under Section 2063.203, undertake mitigation efforts if
sensitive personal information is breached during a cybersecurity
(4)  loan resources to state agencies and covered
entities to promote continuity of operations while the agency or
entity restores the systems affected by a cybersecurity incident;
(5)  assist in the restoration of information resources
and information resources technologies after a cybersecurity
incident and conduct post-incident monitoring;
(6)  in collaboration with the cybersecurity threat
intelligence center under Section 2063.201 and digital forensics
laboratory under Section 2063.203, identify weaknesses, establish
risk mitigation options and effective vulnerability-reduction
strategies, and make recommendations to state agencies and covered
entities that have been the target of a cybersecurity attack or have
experienced a cybersecurity incident in order to remediate
identified cybersecurity vulnerabilities;
(7)  in collaboration with the cybersecurity threat
intelligence center under Section 2063.201, the digital forensics
laboratory under Section 2063.203, the Texas Division of Emergency
Management, and other state agencies, conduct, support, and
participate in cyber-related exercises; and
(8)  undertake any other activities necessary to carry
out the duties described by this subsection.
(b)  The chief shall employ a director for the cybersecurity
Sec. 2063.203.  DIGITAL FORENSICS LABORATORY.  (a)  The
command shall establish a digital forensics laboratory to:
(1)  in collaboration with the cybersecurity incident
response unit under Section 2063.202, develop procedures to:
(A)  preserve evidence of a cybersecurity
incident, including logs and communication;
(B)  document chains of custody; and
(C)  timely notify and maintain contact with the
appropriate law enforcement agencies investigating a cybersecurity
(2)  develop and share with relevant state agencies and
covered entities cyber threat hunting tools and procedures to
assist in identifying indicators of a compromise in the
cybersecurity of state information systems and non-state
information systems, as appropriate, for proactive discovery of
(3)  conduct analyses of causes of cybersecurity
incidents and of remediation options;
(4)  conduct assessments of the scope of harm caused by
cybersecurity incidents, including data loss, compromised systems,
(5)  provide information and training to state agencies
and covered entities on producing reports required by regulatory
(6)  in collaboration with the Department of Public
Safety, the Texas Military Department, the office of the attorney
general, and other state agencies, provide forensic analysis of a
cybersecurity incident to support an investigation, attribution
process, or other law enforcement or judicial action; and
(7)  undertake any other activities necessary to carry
out the duties described by this subsection.
(b)  The chief shall employ a director for the digital
Sec. 2063.205.  POLICIES.  The command shall adopt policies
and procedures necessary to enable the entities established in this
subchapter to carry out their respective duties and purposes.
SUBCHAPTER E.  CYBERSECURITY PREPARATION AND PLANNING
Sec. 2063.404.  ONGOING INFORMATION TRANSMISSIONS.
Information received from state agencies by the department under
Section 2054.069 shall be transmitted by the department to the
SECTION 2.  Section 2054.510, Government Code, is
transferred to Subchapter A, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.0025, Government
Code, and amended to read as follows:
Sec. 2063.0025 [2054.510].  COMMAND CHIEF [INFORMATION
SECURITY OFFICER].  (a)  In this section, "state cybersecurity
[information security] program" means the policies, standards,
procedures, elements, structure, strategies, objectives, plans,
metrics, reports, services, and resources that establish the
cybersecurity [information resources security] function for this
(b)  The chief directs the day-to-day operations and
policies of the command and oversees and is responsible for all
functions and duties of the command.  [The executive director,
using existing funds, shall employ a chief information security
(c)  The chief [information security officer] shall oversee
cybersecurity matters for this state including:
(1)  implementing the duties described by Section
(2)  [responding to reports received under Section
[(3)]  developing a statewide cybersecurity
[information security] framework;
(3) [(4)]  overseeing the development of cybersecurity
[statewide information security] policies and standards;
(4) [(5)]  collaborating with [state agencies, local]
governmental entities[,] and other entities operating or
exercising control over state information systems or
state-controlled data critical to strengthen this state's
cybersecurity and information security policies, standards, and
(5) [(6)]  overseeing the implementation of the
policies, standards, and requirements [guidelines] developed under
this chapter [Subdivisions (3) and (4)];
(6) [(7)]  providing cybersecurity [information
security] leadership, strategic direction, and coordination for
the state cybersecurity [information security] program;
(7) [(8)]  providing strategic direction to:
(A)  the network security center established
(B)  regional security operations [statewide
technology] centers operated under Subchapter G [L]; and
(8) [(9)]  overseeing the preparation and submission
of the report described by Section 2063.301 [2054.0591].
SECTION 3.  Section 2054.0592, Government Code, is
transferred to Subchapter A, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.006, Government
Code, and amended to read as follows:
Sec. 2063.006 [2054.0592].  CYBERSECURITY EMERGENCY
FUNDING.  If a cybersecurity event creates a need for emergency
funding, the command [department] may request that the governor or
Legislative Budget Board make a proposal under Chapter 317 to
provide funding to manage the operational and financial impacts
SECTION 4.  Section 2054.519, Government Code, is
transferred to Subchapter B, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.102, Government
Code, and amended to read as follows:
Sec. 2063.102 [2054.519].  STATE CERTIFIED CYBERSECURITY
TRAINING PROGRAMS.  (a)  The command [department], in consultation
with the cybersecurity council established under Section 2063.406
[2054.512] and industry stakeholders, shall annually:
(1)  certify at least five cybersecurity training
programs for state and local government employees; and
(2)  update standards for maintenance of certification
by the cybersecurity training programs under this section.
(b)  To be certified under Subsection (a), a cybersecurity
(1)  focus on forming appropriate cybersecurity
[information security] habits and procedures that protect
(2)  teach best practices and minimum standards
established under this subchapter [for detecting, assessing,
reporting, and addressing information security threats].
(c)  The command [department] may identify and certify under
Subsection (a) training programs provided by state agencies and
local governments that satisfy the training requirements described
(d)  The command [department] may contract with an
independent third party to certify cybersecurity training programs
(e)  The command [department] shall annually publish on the
command's [department's] Internet website the list of cybersecurity
training programs certified under this section.
SECTION 5.  Section 2054.5191, Government Code, is
transferred to Subchapter B, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.103, Government
Code, and amended to read as follows:
Sec. 2063.103 [2054.5191].  CYBERSECURITY TRAINING REQUIRED
[: CERTAIN EMPLOYEES AND OFFICIALS].  (a)  Each elected or appointed
official and employee of a governmental entity who has access to the
entity's information resources or information resources
technologies [state agency shall identify state employees who use a
computer to complete at least 25 percent of the employee's required
duties.  At least once each year, an employee identified by the
state agency and each elected or appointed officer of the agency]
shall annually complete a cybersecurity training program certified
under Section 2063.102 [2054.519].
(b)  [(a-1)  At least once each year, a local government
[(1)  identify local government employees and elected
and appointed officials who have access to a local government
computer system or database and use a computer to perform at least
25 percent of the employee's or official's required duties; and
[(2)  require the employees and officials identified
under Subdivision (1) to complete a cybersecurity training program
certified under Section 2054.519.
[(a-2)]  The governing body of a governmental entity [local
government] or the governing body's designee may deny access to the
governmental entity's information resources or information
resources technologies [local government's computer system or
database] to an employee or official [individual described by
Subsection (a-1)(1)] who [the governing body or the governing
body's designee determines] is noncompliant with the requirements
(c) [(b)]  The governing body of a local government may
select the most appropriate cybersecurity training program
certified under Section 2063.102 [2054.519] for employees and
officials of the local government to complete.  The governing body
(1)  verify and report on the completion of a
cybersecurity training program by employees and officials of the
local government to the command [department]; and
(2)  require periodic audits to ensure compliance with
(d) [(c)]  A state agency may select the most appropriate
cybersecurity training program certified under Section 2063.102
[2054.519] for employees and officials of the state agency.  The
executive head of each state agency shall verify completion of a
cybersecurity training program by employees and officials of the
state agency in a manner specified by the command [department].
(e) [(d)]  The executive head of each state agency shall
periodically require an internal review of the agency to ensure
(f) [(e)]  The command [department] shall develop a form for
use by governmental entities [state agencies and local governments]
in verifying completion of cybersecurity training program
requirements under this section.  The form must allow the state
agency and local government to indicate the percentage of employee
(g) [(f)]  The requirements of Subsection [Subsections] (a)
[and (a-1)] do not apply to employees and officials who have been:
(2)  granted leave under the federal Family and Medical
Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);
(3)  granted leave related to a sickness or disability
covered by workers' compensation benefits, if that employee or
official no longer has access to the governmental entity's
information resources or information resources technologies [state
agency's or local government's database and systems];
(4)  granted any other type of extended leave or
authorization to work from an alternative work site if that
employee or official no longer has access to the governmental
entity's information resources or information resources
technologies [state agency's or local government's database and
(5)  denied access to a governmental entity's
information resources or information resources technologies [local
government's computer system or database by the governing body of
the local government or the governing body's designee] under
Subsection (b) [(a-2)] for noncompliance with the requirements of
SECTION 6.  Section 2054.5192, Government Code, is
transferred to Subchapter B, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.104, Government
Code, and amended to read as follows:
Sec. 2063.104  [2054.5192].  CYBERSECURITY TRAINING
REQUIRED: CERTAIN STATE CONTRACTORS.  (a)  In this section,
"contractor" includes a subcontractor, officer, or employee of the
(b)  A state agency shall require any contractor who has
access to a state computer system or database to complete a
cybersecurity training program certified under Section 2063.102
[2054.519] as selected by the agency.
(c)  The cybersecurity training program must be completed by
a contractor during the term of the contract and during any renewal
(d)  Required completion of a cybersecurity training program
must be included in the terms of a contract awarded by a state
(e)  A contractor required to complete a cybersecurity
training program under this section shall verify completion of the
program to the contracting state agency.  The person who oversees
contract management for the agency shall:
(1)  not later than August 31 of each year, report the
contractor's completion to the command [department]; and
(2)  periodically review agency contracts to ensure
SECTION 7.  Section 2054.0594, Government Code, is
transferred to Subchapter C, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.204, Government
Code, and amended to read as follows:
Sec. 2063.204  [2054.0594].  INFORMATION SHARING AND
ANALYSIS ORGANIZATION.  (a)  The command [department] shall
establish an information sharing and analysis organization to
provide a forum for state agencies, local governments, public and
private institutions of higher education, and the private sector to
share information regarding cybersecurity threats, best practices,
(b)  [The department shall provide administrative support to
the information sharing and analysis organization.
[(c)]  A participant in the information sharing and analysis
organization shall assert any exception available under state or
federal law, including Section 552.139, in response to a request
for public disclosure of information shared through the
organization.  Section 552.007 does not apply to information
(c) [(d)]  The command [department] shall establish a
framework for regional cybersecurity task forces [working groups]
to execute mutual aid agreements that allow state agencies, local
governments, regional planning commissions, public and private
institutions of higher education, the private sector, the regional
security operations centers under Subchapter G, and the
cybersecurity incident response unit under Section 2063.202 [and
the incident response team established under Subchapter N-2] to
assist with responding to a cybersecurity incident [event] in this
state.  A task force [working group] may be established within the
geographic area of a regional planning commission established under
Chapter 391, Local Government Code.  The task force [working group]
may establish a list of available cybersecurity experts and share
resources to assist in responding to the cybersecurity incident
[event] and recovery from the incident [event].
SECTION 8.  Chapter 2063, Government Code, as added by this
Act, is amended by adding Subchapter D, and a heading is added to
that subchapter to read as follows:
SECTION 9.  Sections 2054.0591 and 2054.077, Government
Code, are transferred to Subchapter D, Chapter 2063, Government
Code, as added by this Act, redesignated as Sections 2063.301 and
2063.302, Government Code, respectively, and amended to read as
Sec. 2063.301  [2054.0591].  CYBERSECURITY REPORT.  (a)  Not
later than November 15 of each even-numbered year, the command
[department] shall submit to the governor, the lieutenant governor,
the speaker of the house of representatives, and the standing
committee of each house of the legislature with primary
jurisdiction over state government operations a report identifying
preventive and recovery efforts the state can undertake to improve
cybersecurity in this state.  The report must include:
(1)  an assessment of the resources available to
address the operational and financial impacts of a cybersecurity
(2)  a review of existing statutes regarding
cybersecurity and information resources technologies; and
(3)  recommendations for legislative action to
increase the state's cybersecurity and protect against adverse
impacts from a cybersecurity incident [event; and
[(4)  an evaluation of a program that provides an
information security officer to assist small state agencies and
local governments that are unable to justify hiring a full-time
(b)  Not later than October 1 of each even-numbered year, the
command shall submit a report to the Legislative Budget Board that
prioritizes, for the purpose of receiving funding, state agency
cybersecurity projects. Each state agency shall coordinate with the
command to implement this subsection.
(c) [(b)]  The command [department] or a recipient of a
report under this section may redact or withhold information
confidential under Chapter 552, including Section 552.139, or other
state or federal law that is contained in the report in response to
a request under Chapter 552 without the necessity of requesting a
decision from the attorney general under Subchapter G, Chapter 552.
The disclosure of information under this section is not a voluntary
disclosure for purposes of Section 552.007.
Sec. 2063.302  [2054.077].  VULNERABILITY REPORTS.  (a)  In
this section, a term defined by Section 33.01, Penal Code, has the
meaning assigned by that section.
(b)  The information security officer of a state agency shall
prepare or have prepared a report, including an executive summary
of the findings of the biennial report, not later than June 1 of
each even-numbered year, assessing the extent to which a computer,
a computer program, a computer network, a computer system, a
printer, an interface to a computer system, including mobile and
peripheral devices, computer software, or data processing of the
agency or of a contractor of the agency is vulnerable to
unauthorized access or harm, including the extent to which the
agency's or contractor's electronically stored information is
vulnerable to alteration, damage, erasure, or inappropriate use.
(c)  Except as provided by this section, a vulnerability
report and any information or communication prepared or maintained
for use in the preparation of a vulnerability report is
confidential and is not subject to disclosure under Chapter 552.
(d)  The information security officer shall provide an
electronic copy of the vulnerability report on its completion to:
(3)  the agency's executive director;
(4)  the agency's designated information resources
(5)  any other information technology security
oversight group specifically authorized by the legislature to
(e)  Separate from the executive summary described by
Subsection (b), a state agency shall prepare a summary of the
agency's vulnerability report that does not contain any information
the release of which might compromise the security of the state
agency's or state agency contractor's computers, computer programs,
computer networks, computer systems, printers, interfaces to
computer systems, including mobile and peripheral devices,
computer software, data processing, or electronically stored
information.  [The summary is available to the public on request.]
SECTION 10.  Section 2054.136, Government Code, is
transferred to Subchapter E, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.401, Government
Code, and amended to read as follows:
Sec. 2063.401  [2054.136].  DESIGNATED INFORMATION SECURITY
OFFICER.  Each state agency shall designate an information security
(1)  reports to the agency's executive-level
(2)  has authority over information security for the
(3)  possesses the training and experience required to
ensure the agency complies with requirements and policies
established by the command [perform the duties required by
(4)  to the extent feasible, has information security
duties as the officer's primary duties.
SECTION 11.  Section 2054.518, Government Code, is
transferred to Subchapter E, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.402, Government
Code, and amended to read as follows:
Sec. 2063.402  [2054.518].  CYBERSECURITY RISKS AND
INCIDENTS.  (a)  The command [department] shall develop a plan to
address cybersecurity risks and incidents in this state.  The
command [department] may enter into an agreement with a national
organization, including the National Cybersecurity Preparedness
Consortium, to support the command's [department's] efforts in
implementing the components of the plan for which the command
[department] lacks resources to address internally.  The agreement
(1)  providing technical assistance services to
support preparedness for and response to cybersecurity risks and
(2)  conducting cybersecurity simulation exercises for
state agencies to encourage coordination in defending against and
responding to cybersecurity risks and incidents;
(3)  assisting state agencies in developing
cybersecurity information-sharing programs to disseminate
information related to cybersecurity risks and incidents; and
(4)  incorporating cybersecurity risk and incident
prevention and response methods into existing state emergency
plans, including continuity of operation plans and incident
(b)  In implementing the provisions of the agreement
prescribed by Subsection (a), the command [department] shall seek
to prevent unnecessary duplication of existing programs or efforts
of the command [department] or another state agency.
(c) [(d)]  The command [department] shall consult with
institutions of higher education in this state when appropriate
based on an institution's expertise in addressing specific
cybersecurity risks and incidents.
SECTION 12.  Section 2054.133, Government Code, is
transferred to Subchapter E, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.403, Government
Code, and amended to read as follows:
Sec. 2063.403  [2054.133].  INFORMATION SECURITY PLAN.  (a)
Each state agency shall develop, and periodically update, an
information security plan for protecting the security of the
(b)  In developing the plan, the state agency shall:
(1)  consider any vulnerability report prepared under
Section 2063.302 [2054.077] for the agency;
(2)  incorporate the network security services
provided by the department to the agency under Chapter 2059;
(3)  identify and define the responsibilities of agency
staff who produce, access, use, or serve as custodians of the
(4)  identify risk management and other measures taken
to protect the agency's information from unauthorized access,
disclosure, modification, or destruction;
(A)  the best practices for information security
developed by the command [department]; or
(B)  if best practices are not applied, a written
explanation of why the best practices are not sufficient for the
(6)  omit from any written copies of the plan
information that could expose vulnerabilities in the agency's
(c)  Not later than June 1 of each even-numbered year, each
state agency shall submit a copy of the agency's information
security plan to the command [department].  Subject to available
resources, the command [department] may select a portion of the
submitted security plans to be assessed by the command [department]
in accordance with command policies [department rules].
(d)  Each state agency's information security plan is
confidential and exempt from disclosure under Chapter 552.
(e)  Each state agency shall include in the agency's
information security plan a written document that is signed by the
head of the agency, the chief financial officer, and each executive
manager designated by the state agency and states that those
persons have been made aware of the risks revealed during the
preparation of the agency's information security plan.
(f)  Not later than November 15 of each even-numbered year,
the command [department] shall submit a written report to the
governor, the lieutenant governor, the speaker of the house of
representatives, and each standing committee of the legislature
with primary jurisdiction over matters related to the command
[department] evaluating information security for this state's
information resources.  In preparing the report, the command
[department] shall consider the information security plans
submitted by state agencies under this section, any vulnerability
reports submitted under Section 2063.302 [2054.077], and other
available information regarding the security of this state's
information resources.  The command [department] shall omit from
any written copies of the report information that could expose
specific vulnerabilities [in the security of this state's
SECTION 13.  Section 2054.516, Government Code, is
transferred to Subchapter E, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.405, Government
Code, and amended to read as follows:
Sec. 2063.405  [2054.516].  DATA SECURITY PLAN FOR ONLINE
AND MOBILE APPLICATIONS.  (a)  Each state agency implementing an
Internet website or mobile application that processes any sensitive
personal or personally identifiable information or confidential
(1)  submit a biennial data security plan to the
command [department] not later than June 1 of each even-numbered
year to establish planned beta testing for the website or
(2)  subject the website or application to a
vulnerability and penetration test and address any vulnerability
(b)  The command [department] shall review each data
security plan submitted under Subsection (a) and make any
recommendations for changes to the plan to the state agency as soon
as practicable after the command [department] reviews the plan.
SECTION 14.  Section 2054.512, Government Code, is
transferred to Subchapter E, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.406, Government
Code, and amended to read as follows:
Sec. 2063.406  [2054.512].  CYBERSECURITY COUNCIL.  (a)  The
chief or the chief's designee [state cybersecurity coordinator]
shall [establish and] lead a cybersecurity council that includes
public and private sector leaders and cybersecurity practitioners
to collaborate on matters of cybersecurity concerning this state.
(b)  The cybersecurity council must include:
(1)  one member who is an employee of the office of the
(2)  one member of the senate appointed by the
(3)  one member of the house of representatives
appointed by the speaker of the house of representatives;
(4)  one member who is an employee of the Elections
Division of the Office of the Secretary of State; [and]
(5)  one member who is an employee of the department;
(6)  additional members appointed by the chief [state
cybersecurity coordinator], including representatives of
institutions of higher education and private sector leaders.
(c)  Members of the cybersecurity council serve staggered
six-year terms, with as near as possible to one-third of the
members' terms expiring February 1 of each odd-numbered year.
(d)  In appointing representatives from institutions of
higher education to the cybersecurity council, the chief [state
cybersecurity coordinator] shall consider appointing members of
the Information Technology Council for Higher Education.
(e) [(d)]  The cybersecurity council shall:
(1)  consider the costs and benefits of establishing a
computer emergency readiness team to address cybersecurity
incidents [cyber attacks] occurring in this state during routine
(2)  establish criteria and priorities for addressing
cybersecurity threats to critical state installations;
(3)  consolidate and synthesize best practices to
assist state agencies in understanding and implementing
cybersecurity measures that are most beneficial to this state; and
(4)  assess the knowledge, skills, and capabilities of
the existing information technology and cybersecurity workforce to
mitigate and respond to cyber threats and develop recommendations
for addressing immediate workforce deficiencies and ensuring a
long-term pool of qualified applicants.
(f) [(e)]  The chief, in collaboration with the
cybersecurity council, shall provide recommendations to the
legislature on any legislation necessary to implement
cybersecurity best practices and remediation strategies for this
SECTION 15.  Section 2054.514, Government Code, is
transferred to Subchapter E, Chapter 2063, Government Code, as
added by this Act, redesignated as Section 2063.407, Government
Code, and amended to read as follows:
Sec. 2063.407  [2054.514].  RECOMMENDATIONS.  The chief
[state cybersecurity coordinator] may implement any portion, or all
of the recommendations made by the cybersecurity council under
Section 2063.406 [Cybersecurity, Education, and Economic
Development Council under Subchapter N].
SECTION 16.  Subchapter N-2, Chapter 2054, Government Code,
is transferred to Chapter 2063, Government Code, as added by this
Act, redesignated as Subchapter F, Chapter 2063, Government Code,
and amended to read as follows:
SUBCHAPTER F [N-2].  TEXAS VOLUNTEER INCIDENT RESPONSE TEAM
Sec. 2063.501  [2054.52001].  DEFINITIONS.  In this
(1)  "Incident response team" means the Texas volunteer
incident response team established under Section 2063.502
(2)  "Participating entity" means a state agency,
including an institution of higher education, or a local government
that receives assistance under this subchapter during a
cybersecurity incident [event].
(3)  "Volunteer" means an individual who provides rapid
response assistance during a cybersecurity incident [event] under
Sec. 2063.502 [2054.52002].  ESTABLISHMENT OF TEXAS
VOLUNTEER INCIDENT RESPONSE TEAM.  (a)  The command [department]
shall establish the Texas volunteer incident response team to
provide rapid response assistance to a participating entity under
the command's [department's] direction during a cybersecurity
(b)  The command [department] shall prescribe eligibility
criteria for participation as a volunteer member of the incident
response team, including a requirement that each volunteer have
expertise in addressing cybersecurity incidents [events].
Sec. 2063.503 [2054.52003].  CONTRACT WITH VOLUNTEERS.  The
command [department] shall enter into a contract with each
volunteer the command [department] approves to provide rapid
response assistance under this subchapter.  The contract must
(1)  acknowledge the confidentiality of information
required by Section 2063.510 [2054.52010];
(2)  protect all confidential information from
(3)  avoid conflicts of interest that might arise in a
deployment under this subchapter;
(4)  comply with command [department] security
policies and procedures regarding information resources
(5)  consent to background screening required by the
(6)  attest to the volunteer's satisfaction of any
eligibility criteria established by the command [department].
Sec. 2063.504 [2054.52004].  VOLUNTEER QUALIFICATION.  (a)
The command [department] shall require criminal history record
information for each individual who accepts an invitation to become
(b)  The command [department] may request other information
relevant to the individual's qualification and fitness to serve as
(c)  The command [department] has sole discretion to
determine whether an individual is qualified to serve as a
Sec. 2063.505  [2054.52005].  DEPLOYMENT.  (a)  In response
to a cybersecurity incident [event] that affects multiple
participating entities or a declaration by the governor of a state
of disaster caused by a cybersecurity event, the command
[department] on request of a participating entity may deploy
volunteers and provide rapid response assistance under the
command's [department's] direction and the managed security
services framework established under Section 2063.204(c)
[2054.0594(d)] to assist with the incident [event].
(b)  A volunteer may only accept a deployment under this
subchapter in writing.  A volunteer may decline to accept a
Sec. 2063.506 [2054.52006].  CYBERSECURITY COUNCIL
DUTIES.  The cybersecurity council established under Section
2063.406 [2054.512] shall review and make recommendations to the
command [department] regarding the policies and procedures used by
the command [department] to implement this subchapter.  The command
[department] may consult with the council to implement and
Sec. 2063.507 [2054.52007].  COMMAND [DEPARTMENT] POWERS
AND DUTIES.  (a)  The command [department] shall:
(1)  approve the incident response tools the incident
response team may use in responding to a cybersecurity incident
(2)  establish the eligibility criteria an individual
must meet to become a volunteer;
(3)  develop and publish guidelines for operation of
the incident response team, including the:
(A)  standards and procedures the command
[department] uses to determine whether an individual is eligible to
(B)  process for an individual to apply for and
accept incident response team membership;
(C)  requirements for a participating entity to
receive assistance from the incident response team; and
(D)  process for a participating entity to request
and obtain the assistance of the incident response team; and
(4)  adopt policies [rules] necessary to implement this
(b)  The command [department] may require a participating
entity to enter into a contract as a condition for obtaining
assistance from the incident response team.  [The contract must
comply with the requirements of Chapters 771 and 791.]
(c)  The command [department] may provide appropriate
training to prospective and approved volunteers.
(d)  In accordance with state law, the command [department]
may provide compensation for actual and necessary travel and living
expenses incurred by a volunteer on a deployment using money
(e)  The command [department] may establish a fee schedule
for participating entities receiving incident response team
assistance.  The amount of fees collected may not exceed the
command's [department's] costs to operate the incident response
Sec. 2063.508 [2054.52008].  STATUS OF VOLUNTEER;
LIABILITY.  (a)  A volunteer is not an agent, employee, or
independent contractor of this state for any purpose and has no
authority to obligate this state to a third party.
(b)  This state is not liable to a volunteer for personal
injury or property damage sustained by the volunteer that arises
from participation in the incident response team.
Sec. 2063.509 [2054.52009].  CIVIL LIABILITY.  A volunteer
who in good faith provides professional services in response to a
cybersecurity incident [event] is not liable for civil damages as a
result of the volunteer's acts or omissions in providing the
services, except for wilful and wanton misconduct.  This immunity
is limited to services provided during the time of deployment for a
cybersecurity incident [event].
Sec. 2063.510 [2054.52010].  CONFIDENTIAL INFORMATION.
Information written, produced, collected, assembled, or maintained
by the command [department], a participating entity, the
cybersecurity council, or a volunteer in the implementation of this
subchapter is confidential and not subject to disclosure under
Chapter 552 if the information:
(1)  contains the contact information for a volunteer;
(2)  identifies or provides a means of identifying a
person who may, as a result of disclosure of the information, become
a victim of a cybersecurity incident [event];
(3)  consists of a participating entity's cybersecurity
plans or cybersecurity-related practices; or
(4)  is obtained from a participating entity or from a
participating entity's computer system in the course of providing
assistance under this subchapter.
SECTION 17.  Subchapter E, Chapter 2059, Government Code, is
transferred to Chapter 2063, Government Code, as added by this Act,
redesignated as Subchapter G, Chapter 2063, Government Code, and
SUBCHAPTER G [E].  REGIONAL [NETWORK] SECURITY OPERATIONS CENTERS
Sec. 2063.601 [2059.201].  ELIGIBLE PARTICIPATING ENTITIES.
A state agency or an entity listed in Section 2059.058 is eligible
to participate in cybersecurity support and network security
provided by a regional [network] security operations center under
Sec. 2063.602 [2059.202].  ESTABLISHMENT OF REGIONAL
[NETWORK] SECURITY OPERATIONS CENTERS.  (a)  Subject to Subsection
(b), the command [department] may establish regional [network]
security operations centers, under the command's [department's]
managed security services framework established by Section
2063.204(c) [2054.0594(d)], to assist in providing cybersecurity
support and network security to regional offices or locations for
state agencies and other eligible entities that elect to
participate in and receive services through the center.
(b)  The command [department] may establish more than one
regional [network] security operations center only if the command
[department] determines the first center established by the command
[department] successfully provides to state agencies and other
eligible entities the services the center has contracted to
(c)  The command [department] shall enter into an
interagency contract in accordance with Chapter 771 or an
interlocal contract in accordance with Chapter 791, as appropriate,
with an eligible participating entity that elects to participate in
and receive services through a regional [network] security
Sec. 2063.603 [2059.203].  REGIONAL [NETWORK] SECURITY
OPERATIONS CENTER LOCATIONS AND PHYSICAL SECURITY.  (a)  In
creating and operating a regional [network] security operations
center, the command may [department shall] partner with another [a]
university system or institution of higher education as defined by
Section 61.003, Education Code, other than a public junior college.
The system or institution shall:
(1)  serve as an education partner with the command
[department] for the regional [network] security operations
(2)  enter into an interagency contract with the
command [department] in accordance with Chapter 771.
(b)  In selecting the location for a regional [network]
security operations center, the command [department] shall select a
university system or institution of higher education that has
supportive educational capabilities.
(c)  A university system or institution of higher education
selected to serve as a regional [network] security operations
center shall control and monitor all entrances to and critical
areas of the center to prevent unauthorized entry.  The system or
institution shall restrict access to the center to only authorized
(d)  A local law enforcement entity or any entity providing
security for a regional [network] security operations center shall
monitor security alarms at the regional [network] security
operations center subject to the availability of that service.
(e)  The command [department] and a university system or
institution of higher education selected to serve as a regional
[network] security operations center shall restrict operational
information to only center personnel, except as provided by Chapter
Sec. 2063.604 [2059.204].  REGIONAL [NETWORK] SECURITY
OPERATIONS CENTERS SERVICES AND SUPPORT.  The command [department]
may offer the following managed security services through a
regional [network] security operations center:
(1)  real-time network security monitoring to detect
and respond to network security events that may jeopardize this
state and the residents of this state;
(2)  alerts and guidance for defeating network security
threats, including firewall configuration, installation,
management, and monitoring, intelligence gathering, and protocol
(3)  immediate response to counter network security
activity that exposes this state and the residents of this state to
risk, including complete intrusion detection system installation,
management, and monitoring for participating entities;
(4)  development, coordination, and execution of
statewide cybersecurity operations to isolate, contain, and
mitigate the impact of network security incidents for participating
(5)  cybersecurity educational services.
Sec. 2063.605 [2059.205].  NETWORK SECURITY GUIDELINES AND
STANDARD OPERATING PROCEDURES.  (a)  The command [department] shall
adopt and provide to each regional [network] security operations
center appropriate network security guidelines and standard
operating procedures to ensure efficient operation of the center
with a maximum return on the state's investment.
(b)  The command [department] shall revise the standard
operating procedures as necessary to confirm network security.
(c)  Each eligible participating entity that elects to
participate in a regional [network] security operations center
shall comply with the network security guidelines and standard
SECTION 18.  Section 325.011, Government Code, is amended to