Agency Proposed Rule Summaries

Date Submitted to the Texas Register: August 22, 2023

Texas Register Issue Publication Date: September 8, 2023

Plain language Summary:

The Texas Department of Information Resources (department) proposes amendments to 1 Texas Administrative Code (TAC) Chapter 202, §§202.1, 202.23, 202.27, 202.73, and 202.77, concerning Information Security Standards. The proposed changes update the Texas Risk and Authorization Management Program (TX-RAMP) to incorporate necessary programmatic changes to address cybersecurity and stakeholder needs and expands upon the requirements for the information security assessment and report required by Texas Government Code §2054.515(c). The department also proposes a new section, §202.5, to create a singular location for all TX-RAMP requirements for the department and instructions on how vendors may adhere to the requirements of the program.

The department amends the title of 1 TAC Chapter 202, Subchapter A, to include "and Responsibilities" to reflect the expansion of elements within Subchapter A outside of definitions.

In §202.1, the department corrects certain grammatical errors within definitions used by 1 TAC Chapter 202. The department also revises the definition for "security incident" and creates a new definition for "local government."

In §202.23, for state agencies, and §202.73, for institutions of higher education, the department proposes amendments that establish the minimum requirements for an entity's biennial information security assessment as well as the method and time by which an entity must report its information security assessment to all statutorily-identified parties. In addition, the department proposes amendments that incorporate statutory admonishments to state agencies, local governments, and institutions of higher education on notifyng the department of the conclusion of a security incident within 10 days after the eradication, closure, and recovery from a security incident.

In §202.23, the department incorporates reporting requirements for local government security incidents as required by Senate Bill 271 [88th Legislature (Regular)]. The proposed local government security incident reporting mimic those requirements currently existing for state agencies.

In §202.27, for state agencies, and §202.77, for institutions of higher education, the department proposes amendments to streamline the sections to include only those items that are specific to the type of entity to which the subchapter is applicable.

The department proposes the creation of a new section, §202.5, concerning TX-RAMP. The Texas Legislature passed Senate Bill 475 (SB 475), which created the state risk and authorization management program, in the 87th Regular Session. Under TX-RAMP, the department must provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services. This requires the department to institute a number of regulatory requirements and procedures, both for itself and vendors who are seeking to become or are already TX-RAMP certified, that apply regardless of whether the customer is a state agency or institution of higher education. The proposed new section consolidates department and vendor requirements that are identical regardless of customer entity.

The proposed rule applies to state agencies, institutions of higher education, and, in limited scope as required by Senate Bill 271 [88th Legislative Session (Regular)], local governments, a term which may include approximately 1,100 rural communities as defined by Texas Government Code §2006.001(1-a). It does not apply to small business or micro-businesses. As a result, there is no economic impact on small businesses or micro-businesses as a result of enforcing or administering the amended rule as proposed.

There is no adverse economic impact to rural communities as a result of the proposed rule. Previously, rural communities who found themselves the victim of a security incident were required to address the recovery from the security incident on their own. With the passage of Senate Bill 271 [88th Legislative Session (Regular)], local governments, including rural communities as defined by by Texas Government Code §2006(1-a), are now required to comply with the same security incident reporting rules imposed upon state agencies and institutions of higher education. The department discussed this matter extensively with local governments prior to the passage of Senate Bill 271 [88th Legislative Session (Regular)] to ensure that there was no adverse impact to local governments, including rural communities. Rural communities must report their security incidents by either submitting a form through the department-hosted system or call to a specified department number to report a security incident. This allows rural communities to receive efficient and increased access to department support and resources where before rural communities may not have known who to contact during a security incident and not been able to receive department and/or statewide assistance in a timely fashion. Due to the lack of complexity associated with how rural communities are required to report security incidents and the benefits associated with reporting, there is no adverse economic impact to rural communities.

The department worked extensively with local government representatives during the legislative session and following the passage of Senate Bill 271 [88th Legislative Session (Regular)] to ensure that the required rules imposed the least administrative burden upon local governments, including rural communities. As proposed, these rules are the least burdensome means of implementing the statutory requirements.

The assessment of the impact of the proposed changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education (ITCHE) in compliance with Texas Government Code §2054.121(c). DIR submitted the proposed amendments to the Information Technology Council of Higher Education for their review. DIR determined that there was no direct impact on institutions of higher education as a result of the proposed rules.

Nancy Rainosek, Chief Information Security Officer for the State of Texas, has determined that there will be no fiscal impact upon state agencies, institutions of higher education, and local government during the first five year period following the adoption of the proposed amendments. By permitting certain third-party certifications or attestations to partially satisfy TX-RAMP certification requirements at the department's discretion and realigning baseline levels to permit entities to assess required needs based upon an impact standard, the department has increased the overall effectiveness of the TX-RAMP rules and addresses the statutory requirement for the department to administer a robust and standardized security assessment program for cloud computing service providers. The department's creation of minimum requirements for the information security assessment that each state agency and institution of higher education must complete allows for a rigorous yet still customizable assessment that entities must complete at least biennially to determine the entity's overall security; many of the minimum requirements align with best practice standards already required for information security and, as such, do not result in a fiscal impact. Furthermore, local government's reporting of security incidents, in alignment with Senate Bill 271 [88th Legislative Session (Regular)] and the proposed rule requirements, allow local governments better access to department expertise and support, which not only results in no fiscal impact but may actually alleviate tension upon local government resources. There is no fiscal impact as a result of the proposed changes to state agencies, institutions of higher education, and local government. Ms. Rainosek has further determined that for each year of the first five years following the adoption of the amended 1 TAC Chapter 202, there are no anticipated additional economic costs to persons or small businesses required to comply with the amendments and proposed new rules.

Pursuant to Texas Government Code §2001.0221, the agency provides the following Governmental Growth Impact Statement for the proposed amendments. The agency has determined the following:

1. The proposed rules neither create nor eliminate a government program. The TX-RAMP program and the information security assessment and report were created by Senate Bill 475 during the 87th Legislature and the proposed rules merely administer and implement these required items.
2. Implementation of the proposed rules does not require the creation or elimination of employee positions. There are no additional employees required nor employees eliminated to implement the rule as amended.
3. Implementation of the proposed rules does not require an increase or decrease in future legislative appropriations to the agency. There is no fiscal impact as implementing the rule does not require an increase or decrease in future legislative appropriations.
4. The proposed rules do not require an increase or decrease in fees paid to the agency.
5. The proposed rules create a new rule section that consolidates existing duplicated requirements for the department and cloud computing services found in Subchapters B and C. A significant portion of the information contained in the new rule section previously existed in 1 TAC §§202.27 and 202.77.
6. The proposed rules do not repeal an existing regulation.
7. The proposed rules do not increase or decrease the number of individuals subject to the rule's applicability. 1 TAC §202.23(e) as proposed now requires local governments to report security incidents as defined by rule. Senate Bill 271 [88th Legislative Session (Regular)] requires local governments to comply with all security incident reporting rules required of state agencies; the department has simply adapted its rule to incorporate this statutory requirement. Beyond the change mandated by Senate Bill 271 [88th Legislative Session (Regular)], the department has neither expanded nor reduced the overall applicability of these rules and, as such, the amount of individuals subject to the rule has not changed.
8. The proposed rules do not positively or adversely affect the state's economy. The proposed amendments to the TX-RAMP program, local government security incident reporting requirements, and minimum requirements necessary for an entity's information security assessment increase the security of governmental entities.

Written comments on the proposed rules may be submitted to Christi Koenig Brisky, Assistant General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701, or to [email protected]. Comments will be accepted for 30 days after publication in the Texas Register.

The amendments are proposed pursuant to Texas Government Code §2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code §2054.0593(c) , which requires the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program; Senate Bill 271 [88th Legislative Session (Regular)], which orders local government compliance with all department rules relating to security incident reporting; and Texas Government Code §2054.515(c), which requires the department to establish the requirements for the information security assessment and report in its administrative rules.

No other code, article, or statute is affected by this proposal.

Date Submitted to the Texas Register: August 22, 2023

Texas Register Issue Publication Date: September 8, 2023

Plain Language Summary:

The Texas Department of Information Resources (department) proposes the creation of 1 Texas Administrative Code (TAC) Chapter 218, Subchapter A, §§218.1 - 218.3, Subchapter B, §218.10, and Subchapter C, §218.20. This proposed chapter addresses the requirements for a state agency as defined by Texas Government Code Chapter 2054 to conduct an information security assessment of the agency's data governance program.

Within Subchapter A, the department proposes the creation §§218.1 - 218.3. Section 218.1 introduces any specialized definitions required by the rule, which includes the terms "data governance program," "data management officer," and "data maturity assessement." Section 218.2 defines the term state agency. Section 218.3 defines the term institution of higher education.

The department proposes the creation of subchapter B, §218.20, for state agencies, and subchapter C, §218.30, for institutions of higher education. These sections establish the minimum requirements that an entity's information security assessment of its data governance program as required by Texas Government Code § 2054.515(a)(2) must meet to be considered compliant with the statutory requirement. In §218.30, the department also proposes the clarification that the data maturity assessment is considered a statutory component of the information security assessment, which is information security standard, and, as such, public junior colleges must comply with this requirement subject to Texas Government Code § 2054.0075.

There is no economic impact on rural communities or small businesses as a result of enforcing or administering the new rules as proposed.

The new rules in this chapter apply only to state agencies and institutions of higher education.

The assessment of the impact of the proposed changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education (ITCHE) in compliance with Texas Government Code § 2054.121(c). DIR submitted the proposal to the Information Technology Council of Higher Education for their review. DIR determined that there was no direct impact on institutions of higher education as a result of the proposed rules.

Neil Cooke, the Chief Data Officer, has determined that there will be no fiscal impact upon state agencies, institutions of higher education, and local governments during the first five year period following the adoption of the proposed new rules. State agencies are required by Texas Government Code § 2054.515(a) to complete a biennial information security assessment of, among other elements, its data governance program; the proposed rules simply establish the minimum necessary components of this data maturity assessment. This allows for a rigorous data maturity assessment that still permits any entity-specific customizability and scaling to address its unique data governance program. As such, the proposed chapter does not result in a fiscal impact to state agencies, institutions of higher education, or local governments. Mr. Cooke has further determined that for each year of the first five years following the adoption of the new 1 TAC Chapter 218, there are no anticipated additional economic costs to persons or small businesses required to comply with the proposed new rules.

Pursuant to Texas Government Code § 2001.0221, the agency provides the following Governmental Growth Impact Statement for the proposed new rules. The agency has determined the following:

1. The proposed rules neither create nor eliminate a government program. Texas Government Code § 2054.515(a)(2) requires state agencies complete the information security assessment and report, including the data maturity assessment. The proposed rules merely administer the minimum requirements for this assessment.
2. Implementation of the proposed rules does not require the creation or elimination of employee positions. There are no additional employees required nor employees eliminated to implement the rule as proposed.
3. Implementation of the proposed rules does not require an increase or decrease in future legislative appropriations to the agency. There is no fiscal impact as implementing the rule does not require an increase or decrease in future legislative appropriations.
4. The proposed rules do not require an increase or decrease in fees paid to the agency.
5. The proposed rules create a new rule chapter that clarifies the minimum requirements for the state agency data maturity assessment mandated by Texas Government Code § 2054.515(a)(2). The department previously addressed items referential to the data maturity assessment in 1 Texas Administrative Code Chapter 202; the department proposes this new chapter in alignment with the rulemaking authority granted by Texas Government Code § 2054.515 to streamline the information security assessment process and alleviate confusion regarding data maturity assessment requirements.
6. The proposed rules do not repeal an existing regulation.
7. The proposed rules do not increase or decrease the number of individuals subject to the rule's applicability. Texas Government Code § 2054.515 requires state agencies to complete the information security assessment, which includes the data maturity assessment; Texas Government Code Chapter 2054 establishes the parameters of the term "state agency," which identifies the entities that are subject to this chapter's requirements. Public junior colleges are not excepted from information security standards established by the department. Tex. Gov't Code § 2054.0075. These information security standards are established, among other places, in 1 TAC Chapter 202. To the extent that the data security maturity assessment is a statutory component of the information security assessment and the information security assessment requirements reside in 1 TAC Chapter 202, public junior colleges are subject to this requirement.
8. The proposed rules do not positively or adversely affect the state's economy. The creation of rules establishing minimum requirements for an entity's data maturity assessment ensures that state agencies are scrutinizing their data governance program to ensure rigorous security standards and alignment with best practices.

Written comments on the proposed rules may be submitted to Christi Koenig Brisky, Assistant General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701, or to [email protected]. Comments will be accepted for 30 days after publication in the Texas Register.

The new rules are proposed pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054, and Texas Government Code § 2054.515(a)(2), which admonishes the department to establish the data maturity assessment requirements by rule.

No other code, article, or statute is affected by this proposal.