GOVERNMENT CODE


TITLE 10. GENERAL GOVERNMENT


SUBTITLE B. INFORMATION AND PLANNING


CHAPTER 2059. TEXAS COMPUTER NETWORK SECURITY SYSTEM


SUBCHAPTER A. GENERAL PROVISIONS


Sec. 2059.001. DEFINITIONS. In this chapter:

(1) "Center" means the network security center established under this chapter.

(2) "Department" means the Department of Information Resources.

(2-a) "Local government" has the meaning assigned by Section 2054.003.

(3) "Network security" means the protection of computer systems and technology assets from unauthorized external intervention or improper use. The term includes detecting, identifying, and countering malicious network activity to prevent the acquisition of information or disruption of information technology operations.

(4) "State agency" has the meaning assigned by Section 2054.003.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Amended by:

Acts 2023, 88th Leg., R.S., Ch. 242 (H.B. 4553), Sec. 10, eff. September 1, 2023.

SUBCHAPTER B. GENERAL POWERS AND DUTIES


Sec. 2059.051. DEPARTMENT RESPONSIBLE FOR PROVIDING COMPUTER NETWORK SECURITY SERVICES. The department shall provide network security services to:

(1) state agencies; and

(2) other entities by agreement as provided by Section 2059.058.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.052. SERVICES PROVIDED TO INSTITUTIONS OF HIGHER EDUCATION. The department may provide network security services to an institution of higher education, and may include an institution of higher education in a center, only if and to the extent approved by the Information Technology Council for Higher Education.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.053. RULES. The department may adopt rules necessary to implement this chapter.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.054. OWNERSHIP OR LEASE OF NECESSARY EQUIPMENT. The department may purchase in accordance with Chapters 2155, 2156, 2157, and 2158 any facilities or equipment necessary to provide network security services to state agencies.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.055. RESTRICTED INFORMATION. (a) Confidential network security information may be released only to officials responsible for the network, law enforcement, the state auditor's office, and agency or elected officials designated by the department.

(b) Network security information is confidential under this section if the information is:

(1) related to passwords, personal identification numbers, access codes, encryption, or other components of the security system of a governmental entity;

(2) collected, assembled, or maintained by or for a governmental entity to prevent, detect, or investigate criminal activity; or

(3) related to an assessment, made by or for a governmental entity or maintained by a governmental entity, of the vulnerability of a network to criminal activity.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Amended by:

Acts 2017, 85th Leg., R.S., Ch. 560 (S.B. 564), Sec. 2, eff. September 1, 2017.

Acts 2017, 85th Leg., R.S., Ch. 683 (H.B. 8), Sec. 13, eff. September 1, 2017.

Sec. 2059.056. RESPONSIBILITY FOR EXTERNAL AND INTERNAL SECURITY THREATS. If the department provides network security services for a state agency or other entity under this chapter, the department is responsible for network security from external threats for that agency or entity. Network security management for that state agency or entity regarding internal threats remains the responsibility of that state agency or entity.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.057. BIENNIAL REPORT. (a) The department shall biennially prepare a report on:

(1) the department's accomplishment of service objectives and other performance measures under this chapter; and

(2) the status, including the financial performance, of the consolidated network security system provided through the center.

(b) The department shall submit the report to:

(1) the governor;

(2) the lieutenant governor;

(3) the speaker of the house of representatives; and

(4) the state auditor's office.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.058. AGREEMENT TO PROVIDE NETWORK SECURITY SERVICES TO ENTITIES OTHER THAN STATE AGENCIES. In addition to the department's duty to provide network security services to state agencies under this chapter, the department by agreement may provide network security services to:

(1) each house of the legislature and a legislative agency;

(2) a local government;

(3) the supreme court, the court of criminal appeals, or a court of appeals;

(4) a public hospital owned or operated by this state or a political subdivision or municipal corporation of this state, including a hospital district or hospital authority;

(5) the Texas Permanent School Fund Corporation;

(6) an open-enrollment charter school, as defined by Section 5.001, Education Code;

(7) a private school, as defined by Section 5.001, Education Code;

(8) a private or independent institution of higher education, as defined by Section 61.003, Education Code;

(9) a volunteer fire department, as defined by Section 152.001, Tax Code; and

(10) an independent organization certified under Section 39.151, Utilities Code, for the ERCOT power region.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Amended by:

Acts 2019, 86th Leg., R.S., Ch. 509 (S.B. 64), Sec. 19, eff. September 1, 2019.

Acts 2023, 88th Leg., R.S., Ch. 242 (H.B. 4553), Sec. 11, eff. September 1, 2023.

SUBCHAPTER C. NETWORK SECURITY CENTER


Sec. 2059.101. NETWORK SECURITY CENTER. The department shall establish a network security center to provide network security services to state agencies.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.102. MANAGEMENT AND USE OF NETWORK SECURITY SYSTEM. (a) The department shall manage the operation of network security system services for all state agencies at the center.

(b) The department shall fulfill the network security requirements of each state agency to the extent practicable. However, the department shall protect criminal justice and homeland security networks of this state to the fullest extent possible in accordance with federal criminal justice and homeland security network standards.

(c) All state agencies shall use the network security services provided through the center to the fullest extent possible.

(d) A state agency may not purchase network security services unless the department determines that the agency's requirement for network security services cannot be met at a comparable cost through the center. The department shall develop an efficient process for this determination.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.103. CENTER LOCATION AND PHYSICAL SECURITY. (a) The department shall locate the center at a location that has an existing secure and restricted facility, cyber-security infrastructure, available trained workforce, and supportive educational capabilities.

(b) The department shall control and monitor all entrances and critical areas to prevent unauthorized entry. The department shall limit access to authorized individuals.

(c) Local law enforcement or security agencies shall monitor security alarms at the center according to service availability.

(d) The department shall restrict operational information to personnel at the center, except as provided by Chapter 321.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.104. CENTER SERVICES AND SUPPORT. (a) The department shall provide the following managed security services through the center:

(1) real-time network security monitoring to detect and respond to network security events that may jeopardize this state and the residents of this state, including vulnerability assessment services consisting of a comprehensive security posture assessment, external and internal threat analysis, and penetration testing;

(2) continuous, 24-hour alerts and guidance for defeating network security threats, including firewall preconfiguration, installation, management and monitoring, intelligence gathering, protocol analysis, and user authentication;

(3) immediate incident response to counter network security activity that exposes this state and the residents of this state to risk, including complete intrusion detection systems installation, management, and monitoring and a network operations call center;

(4) development, coordination, and execution of statewide cyber-security operations to isolate, contain, and mitigate the impact of network security incidents at state agencies;

(5) operation of a central authority for all statewide information assurance programs; and

(6) the provision of educational services regarding network security.

(b) The department may provide:

(1) implementation of best-of-breed information security architecture engineering services, including public key infrastructure development, design, engineering, custom software development, and secure web design; or

(2) certification and accreditation to ensure compliance with the applicable regulatory requirements for cyber-security and information technology risk management, including the use of proprietary tools to automate the assessment and enforcement of compliance.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.105. NETWORK SECURITY GUIDELINES AND STANDARD OPERATING PROCEDURES. (a) The department shall adopt and provide to all state agencies appropriate network security guidelines and standard operating procedures to ensure efficient operation of the center with a maximum return on investment for the state.

(b) The department shall revise the standard operating procedures as necessary to confirm network security.

(c) Each state agency shall comply with the network security policies, guidelines, and standard operating procedures.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.1055. NETWORK SECURITY IN A STATE OF DISASTER. The department shall disconnect the computer network of an entity receiving security services under this chapter from the Internet if the governor issues an order under Section 418.0195 to disconnect the network because of a substantial external threat to the entity's computer network.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1310 (H.B. 3333), Sec. 2, eff. September 1, 2011.

Sec. 2059.106. PRIVATE VENDOR. The department may contract with a private vendor to build and operate the center and act as an authorized agent to acquire, install, integrate, maintain, configure, and monitor the network security services and security infrastructure elements.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

SUBCHAPTER D. FINANCIAL PROVISIONS


Sec. 2059.151. PAYMENT FOR SERVICES. The department shall develop a system of billings and charges for services provided in operating and administering the network security system that allocates the total state cost to each state agency or other entity served by the system based on proportionate usage.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.152. REVOLVING FUND ACCOUNT. (a) The comptroller shall establish in the state treasury a revolving fund account for the administration of this chapter. The account must be used as a depository for money received from state agencies and other entities served under this chapter. Receipts attributable to the centralized network security system must be deposited into the account and separately identified within the account.

(b) The legislature may appropriate money for operating the system directly to the department, in which case the revolving fund account must be used to receive money due from local governmental entities and other agencies to the extent that their money is not subject to legislative appropriation.

(c) The department shall maintain in the revolving fund account sufficient amounts to pay the liabilities of the center and related network security services.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

Sec. 2059.153. GRANTS. The department may apply for and use for purposes of this chapter the proceeds from grants offered by any federal agency or other source.

Added by Acts 2005, 79th Leg., Ch. 760 (H.B. 3112), Sec. 1, eff. September 1, 2005.

SUBCHAPTER E. REGIONAL NETWORK SECURITY CENTERS


Sec. 2059.201. ELIGIBLE PARTICIPATING ENTITIES. A state agency or an entity listed in Section 2059.058 is eligible to participate in cybersecurity support and network security provided by a regional network security center under this subchapter.

Added by Acts 2021, 87th Leg., R.S., Ch. 567 (S.B. 475), Sec. 9, eff. June 14, 2021.

Amended by:

Acts 2023, 88th Leg., R.S., Ch. 242 (H.B. 4553), Sec. 12, eff. September 1, 2023.

Sec. 2059.202. ESTABLISHMENT OF REGIONAL NETWORK SECURITY CENTERS. (a) Subject to Subsection (b), the department may establish regional network security centers, under the department's managed security services framework established by Section 2054.0594(d), to assist in providing cybersecurity support and network security to regional offices or locations for state agencies and other eligible entities that elect to participate in and receive services through the center.

(b) The department may establish more than one regional network security center only if the department determines the first center established by the department successfully provides to state agencies and other eligible entities the services the center has contracted to provide.

(c) The department shall enter into an interagency contract in accordance with Chapter 771 or an interlocal contract in accordance with Chapter 791, as appropriate, with an eligible participating entity that elects to participate in and receive services through a regional network security center.

Added by Acts 2021, 87th Leg., R.S., Ch. 567 (S.B. 475), Sec. 9, eff. June 14, 2021.

Sec. 2059.203. REGIONAL NETWORK SECURITY CENTER LOCATIONS AND PHYSICAL SECURITY. (a) In creating and operating a regional network security center, the department shall partner with a university system or institution of higher education as defined by Section 61.003, Education Code, other than a public junior college. The system or institution shall:

(1) serve as an education partner with the department for the regional network security center; and

(2) enter into an interagency contract with the department in accordance with Chapter 771.

(b) In selecting the location for a regional network security center, the department shall select a university system or institution of higher education that has supportive educational capabilities.

(c) A university system or institution of higher education selected to serve as a regional network security center shall control and monitor all entrances to and critical areas of the center to prevent unauthorized entry. The system or institution shall restrict access to the center to only authorized individuals.

(d) A local law enforcement entity or any entity providing security for a regional network security center shall monitor security alarms at the regional network security center subject to the availability of that service.

(e) The department and a university system or institution of higher education selected to serve as a regional network security center shall restrict operational information to only center personnel, except as provided by Chapter 321.

Added by Acts 2021, 87th Leg., R.S., Ch. 567 (S.B. 475), Sec. 9, eff. June 14, 2021.

Sec. 2059.204. REGIONAL NETWORK SECURITY CENTERS SERVICES AND SUPPORT. The department may offer the following managed security services through a regional network security center:

(1) real-time network security monitoring to detect and respond to network security events that may jeopardize this state and the residents of this state;

(2) alerts and guidance for defeating network security threats, including firewall configuration, installation, management, and monitoring, intelligence gathering, and protocol analysis;

(3) immediate response to counter network security activity that exposes this state and the residents of this state to risk, including complete intrusion detection system installation, management, and monitoring for participating entities;

(4) development, coordination, and execution of statewide cybersecurity operations to isolate, contain, and mitigate the impact of network security incidents for participating entities; and

(5) cybersecurity educational services.

Added by Acts 2021, 87th Leg., R.S., Ch. 567 (S.B. 475), Sec. 9, eff. June 14, 2021.

Sec. 2059.205. NETWORK SECURITY GUIDELINES AND STANDARD OPERATING PROCEDURES. (a) The department shall adopt and provide to each regional network security center appropriate network security guidelines and standard operating procedures to ensure efficient operation of the center with a maximum return on the state's investment.

(b) The department shall revise the standard operating procedures as necessary to confirm network security.

(c) Each eligible participating entity that elects to participate in a regional network security center shall comply with the network security guidelines and standard operating procedures.

Added by Acts 2021, 87th Leg., R.S., Ch. 567 (S.B. 475), Sec. 9, eff. June 14, 2021.