88R2127 JCG-D     By: Campbell S.B. No. 2377       A BILL TO BE ENTITLED   AN ACT   relating to homeland security, including the creation of the Texas   Homeland Security Division in the Department of Public Safety, the   operations of the Homeland Security Council, the creation of a   homeland security fusion center, and the duties of state agencies   and local governments in preparing for, reporting, and responding   to cybersecurity breaches; providing administrative penalties;   creating criminal offenses.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  (a) The legislature finds that the federal   government's inadequate border security measures, the trafficking   of fentanyl across the borders of this state, Central America's   turn towards authoritarian regimes, China's hostile rhetoric   regarding Taiwan, and Russia's invasion of Ukraine create an   ever-changing threat landscape to the security of this state.          (b)  Due to these continuous threats, this state must   continue taking serious measures to secure its critical   infrastructure, cyber networks, and border and monitor security   threats from hostile nations and non-state actors.          (c)  These present and future threats require this state to   create a unified security organization under the Department of   Public Safety of the State of Texas whose sole mission is to   safeguard the people and infrastructure that make this state great.          (d)  The Texas Homeland Security Division, as established by   this Act, will unify this state's security responsibilities into   one entity that reports directly to the governor and the public   safety director of the Department of Public Safety of the State of   Texas.          SECTION 2.  Chapter 411, Government Code, is amended by   adding Subchapter S to read as follows:   SUBCHAPTER S. TEXAS HOMELAND SECURITY DIVISION          Sec. 411.551.  DEFINITIONS. In this subchapter:                (1)  "Division" means the Texas Homeland Security   Division established in the department under this subchapter.                (2)  "Division director" means the director of the   Texas Homeland Security Division appointed under this subchapter.          Sec. 411.552.  ESTABLISHMENT; DIRECTOR; EMPLOYEES. (a) The   Texas Homeland Security Division is established in the department.          (b)  Notwithstanding Section 411.006(a)(6), the public   safety director shall appoint, with the advice and consent of the   governor, a homeland security director to manage the division.          (c)  The division director may hire employees as necessary to   carry out the duties of the division.          Sec. 411.553.  GENERAL DUTIES. The division shall, in   consultation with the governor:                (1)  develop and implement strategic homeland security   operations; and                (2)  unify governmental activities and   responsibilities related to homeland security under the direction   of the division.          Sec. 411.554.  BORDER SECURITY: INTELLIGENCE. (a) The   division shall coordinate with the Texas Military Department, state   and local law enforcement agencies, federal agencies, and any other   entity the division determines appropriate to secure the   international border.          (b)  In coordinating with the entities described by   Subsection (a), the division shall:                (1)  collect, analyze, and provide intelligence for   each major operation to secure the international border, including   consulting with the Texas Military Department and other appropriate   agencies that collect, analyze, or provide intelligence to the   governor, the department, and other entities deployed on major   operations;                (2)  make recommendations on essential tasks and   desired results for each element of a major operation;                (3)  provide augmented equipment and personnel for a   major operation; and                (4)  conduct periodic internal reviews of   interoperability among agencies deployed on a major operation and   make available reports on subsequent efforts to improve   interoperability.          (c)  Each month, the division shall provide a report to the   governor on the major operations conducted by this state to secure   the international border.          Sec. 411.555.  BORDER SECURITY: GRANT RECOMMENDATIONS. The   division shall advise the criminal justice division of the   governor's office on the allocation of grants under the prosecution   of border crime grant program established under Section 772.0071.          Sec. 411.556.  CRITICAL INFRASTRUCTURE AND POWER GRID. (a)   The division shall coordinate with federal, state, and local   agencies, and any other entity the division determines appropriate,   to protect the critical infrastructure of this state and the ERCOT   power grid from remote and physical attacks, including:                (1)  oil and gas infrastructure, including:                      (A)  oil, gas, and chemical pipelines;                      (B)  oil and gas drilling sites; and                      (C)  oil, gas, and chemical production   facilities;                (2)  electrical power generating facilities,   substations, switching stations, and electrical control centers;                (3)  petroleum and alumina refineries and chemical,   polymer, and rubber manufacturing facilities; and                (4)  water intake structures, water treatment   facilities, wastewater treatment plants, and pump stations.          (b)  In coordinating the efforts of this state to secure   critical infrastructure and the ERCOT power grid, the division   shall cooperate with the Cybersecurity and Infrastructure Security   Agency, the United States Department of Energy, and the Homeland   Security Fusion Center.          Sec. 411.557.  CRITICAL INFRASTRUCTURE: INVESTIGATION OF   CERTAIN PURCHASES. The division shall investigate any purchases of   substantial portions of land or infrastructure in this state by a   designated country, as that term is defined by Section 2274.0101,   as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature,   Regular Session, 2021.          Sec. 411.558.  PROHIBITED EQUIPMENT REPORTS. At least   annually, the division shall issue a report to the governor,   lieutenant governor, members of the legislature, and all state   agencies identifying equipment that the United States Department of   Defense has prohibited entities that contract with the department   of defense from using.          Sec. 411.559.  CYBERSECURITY: WEBSITE FOR REPORTING THREATS   AND ATTACKS. The division shall develop a secure Internet website   that is accessible by state agencies and local governments and   permits those entities to report to the division suspected   cybersecurity threats and attacks against those entities.          Sec. 411.560.  BUDGET REQUESTS. (a) Not later than April 1   of each even-numbered year, the division director shall submit to   the public safety director a request for appropriations that   estimates the cost of the division's operations.          (b)  A request for appropriations described by Subsection   (a) may not be aggregated with any other appropriation request made   by the department when the request is submitted to a legislative   committee with jurisdiction over appropriations.          SECTION 3.  Section 421.021, Government Code, is amended by   adding Subsection (a-1) to read as follows:          (a-1)  The Homeland Security Council is composed of:                (1)  the governor or the governor's designee;                (2)  the lieutenant governor or the lieutenant   governor's designee;                (3)  the director of the Texas Homeland Security   Division of the Department of Public Safety; and                (4)  other persons appointed by the governor or   lieutenant governor.          SECTION 4.  Section 421.023, Government Code, is amended by   amending Subsections (c) and (d) and adding Subsection (f) to read   as follows:          (c)  The governor shall designate the director of the Texas   Homeland Security Division of the Department of Public Safety as   the presiding officer of the council.          (d)  The council shall meet at the call of the presiding   officer [governor] and shall meet at least once each quarter in a   calendar year.          (f)  The presiding officer shall appoint a secretary, who may   be a member of the council, to record meeting minutes and   attendance.          SECTION 5.  Section 421.024, Government Code, is amended to   read as follows:          Sec. 421.024.  DUTIES. The council shall advise the   governor on:                (1)  the implementation of the governor's homeland   security strategy by state and local agencies and provide specific   suggestions for helping those agencies implement the strategy;   [and]                (2)  recommendations from the Texas Homeland Security   Division of the Department of Public Safety on improving the   security of this state; and                (3)  other matters related to the planning,   development, coordination, and implementation of initiatives to   promote the governor's homeland security strategy.          SECTION 6.  Chapter 421, Government Code, is amended by   adding Subchapter E-1 to read as follows:   SUBCHAPTER E-1. HOMELAND SECURITY FUSION CENTER          Sec. 421.0901.  DEFINITIONS. In this subchapter:                (1)  "Board" means the oversight board of the homeland   security fusion center.                (2)  "Director" means the director of the Texas   Homeland Security Division of the Department of Public Safety.          Sec. 421.0902.  HOMELAND SECURITY FUSION CENTER. (a) From   funds available for this purpose, the director may:                (1)  establish the homeland security fusion center; and                (2)  hire employees to operate the homeland security   fusion center.          (b)  The homeland security fusion center shall:                (1)  collect, receive, generate, and disseminate   intelligence critical for homeland security policy and homeland   security activities in this state, including the issuance of   relevant threat warnings;                (2)  promote and improve intelligence sharing:                      (A)  among public safety and public service   agencies at the federal, state, local, and tribal levels; and                      (B)  with entities in the private sector operating   critical infrastructure and other key resources;                (3)  otherwise support federal, state, local, and   tribal agencies and private organizations in preventing, preparing   for, responding to, and recovering from homeland security threats   and attacks; and                (4)  maintain intelligence collected, received, or   generated in compliance with applicable state and federal law and   in a secure manner, including:                      (A)  providing appropriate security for a   facility that contains sensitive information;                      (B)  compartmentalizing sensitive information;   and                      (C)  adopting appropriate internal procedures for   the security of the facility and the information.          Sec. 421.0903.  OVERSIGHT BOARD; QUALIFICATIONS; RULES. (a)   If the homeland security fusion center is established under Section   421.0902, there is also established an oversight board that shall   govern the operations of the homeland security fusion center.          (b)  The board is composed of:                (1)  the director;                (2)  the adjutant general; and                (3)  other persons appointed by the director.          (c)  The director serves as the chair of the board and the   adjutant general serves as the vice chair.          (d)  A member of the board must have and maintain a secret   security clearance granted by the United States government. A   person who has applied for a secret security clearance and has been   granted an interim secret security clearance may serve as a member   of the board but may not be given access to classified information,   participate in a briefing involving classified information, or vote   on an issue involving classified information before the person is   granted a secret security clearance.          (e)  The board may adopt rules, policies, and procedures for   the operation of the homeland security fusion center.          Sec. 421.0904.  GIFTS, GRANTS, AND DONATIONS; DEDICATED   ACCOUNT. (a) The homeland security fusion center may accept gifts,   grants, and donations of any kind from any public or private source,   including services or property, for the purpose of paying the costs   to establish, maintain, or operate the homeland security fusion   center.          (b)  The homeland security fusion center shall remit all   amounts received under this section to the comptroller. The   comptroller shall deposit the amounts to the credit of an account in   the general revenue fund that may be appropriated only to the   Department of Public Safety to provide funding for establishing,   maintaining, or operating the homeland security fusion center.          (c)  The board must approve expenditures made for the   purposes described by Subsection (b).          Sec. 421.0905.  ADMINISTRATIVE SUPPORT. The Texas Homeland   Security Division of the Department of Public Safety shall provide   administrative support for the homeland security fusion center and   the board, including securely maintaining the records of the board.          SECTION 7.  Section 2054.077(d), Government Code, is amended   to read as follows:          (d)  The information security officer shall provide an   electronic copy of the vulnerability report on its completion to:                (1)  the Texas Homeland Security Division of the   Department of Public Safety;                (2)  the department;                (3) [(2)]  the state auditor;                (4) [(3)]  the agency's executive director;                (5) [(4)]  the agency's designated information   resources manager; and                (6) [(5)]  any other information technology security   oversight group specifically authorized by the legislature to   receive the report.          SECTION 8.  Section 2054.1125, Government Code, is amended   by amending Subsection (b) and adding Subsections (d) and (e) to   read as follows:          (b)  A state agency that owns, licenses, or maintains   computerized data that includes sensitive personal information,   confidential information, or information the disclosure of which is   regulated by law shall, in the event of a breach or suspected breach   of system security or an unauthorized exposure of that information:                (1)  comply with the notification requirements of   Section 521.053, Business & Commerce Code, to the same extent as a   person who conducts business in this state; and                (2)  not later than 48 hours after the discovery of the   breach, suspected breach, or unauthorized exposure, notify:                      (A)  the Texas Homeland Security Division of the   Department of Public Safety;                      (B)  the department, including the chief   information security officer; and                      (C)  [or (B)] if the breach, suspected breach, or   unauthorized exposure involves election data, the secretary of   state.          (d)  The Texas Homeland Security Division of the Department   of Public Safety shall notify the governor of any breach or   suspected breach reported to the division under this section.          (e)  The administrative head of a state agency commits an   offense if the person intentionally or knowingly fails to notify   the Texas Homeland Security Division of the Department of Public   Safety of a breach, suspected breach, or unauthorized exposure, as   required by Subsection (b)(2)(A). An offense under this subsection   is a Class C misdemeanor.          SECTION 9.  Section 2054.133(f), Government Code, is amended   to read as follows:          (f)  Not later than November 15 of each even-numbered year,   the department shall submit a written report to the governor, the   lieutenant governor, and each standing committee of the legislature   with primary jurisdiction over matters related to the department   evaluating information security for this state's information   resources. In preparing the report, the department shall consider   the information security plans submitted by state agencies under   this section, any vulnerability reports submitted under Section   2054.077, any relevant information provided by the Texas Homeland   Security Division of the Department of Public Safety, and other   available information regarding the security of this state's   information resources. The department shall omit from any written   copies of the report information that could expose specific   vulnerabilities in the security of this state's information   resources.          SECTION 10.  Section 2054.511, Government Code, is amended   to read as follows:          Sec. 2054.511.  CYBERSECURITY COORDINATOR. (a) The   executive director shall designate an employee of the department as   the state cybersecurity coordinator to oversee cybersecurity   matters for this state.          (b)  The director of the Texas Homeland Security Division of   the Department of Public Safety and the cybersecurity coordinator   shall jointly improve the efficacy and efficiency of this state's   response to and investigations of cyber attacks occurring in this   state.          SECTION 11.  Section 2054.512(b), Government Code, is   amended to read as follows:          (b)  The cybersecurity council must include:                (1)  one member who is an employee of the office of the   governor;                (2)  one member of the senate appointed by the   lieutenant governor;                (3)  one member of the house of representatives   appointed by the speaker of the house of representatives;                (4)  the director of the Texas Homeland Security   Division of the Department of Public Safety;                (5)  one member who is an employee of the Elections   Division of the Office of the Secretary of State; and                (6) [(5)]  additional members appointed by the state   cybersecurity coordinator, including representatives of   institutions of higher education and private sector leaders.          SECTION 12.  Section 2054.515(b), Government Code, as   amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the   87th Legislature, Regular Session, 2021, is reenacted and amended   to read as follows:          (b)  Not later than December 1 of the year [November 15 of   each even-numbered year] in which a state agency conducts the   assessment under Subsection (a) or the 60th day after the date the   agency completes the assessment, whichever occurs first, the agency   shall report the results of the assessment to:                (1)  the Texas Homeland Security Division of the   Department of Public Safety;                (2)  the department; and                (3) [(2)]  on request, the governor, the lieutenant   governor, and the speaker of the house of representatives.          SECTION 13.  Section 2054.518(a), Government Code, is   amended to read as follows:          (a)  In consultation with the Texas Homeland Security   Division of the Department of Public Safety, the [The] department   shall develop a plan to address cybersecurity risks and incidents   in this state. The department may enter into an agreement with a   national organization, including the National Cybersecurity   Preparedness Consortium, to support the department's efforts in   implementing the components of the plan for which the department   lacks resources to address internally. The agreement may include   provisions for:                (1)  providing technical assistance services to   support preparedness for and response to cybersecurity risks and   incidents;                (2)  conducting cybersecurity simulation exercises for   state agencies to encourage coordination in defending against and   responding to cybersecurity risks and incidents;                (3)  assisting state agencies in developing   cybersecurity information-sharing programs to disseminate   information related to cybersecurity risks and incidents; and                (4)  incorporating cybersecurity risk and incident   prevention and response methods into existing state emergency   plans, including continuity of operation plans and incident   response plans.          SECTION 14.  Subchapter F, Chapter 2270, Government Code, is   amended by adding Section 2270.0254 to read as follows:          Sec. 2270.0254.  ADMINISTRATIVE PENALTY. The Department of   Public Safety may impose an administrative penalty in the same   manner and using the same procedures as Subchapter R, Chapter 411,   against a person who violates this chapter.          SECTION 15.  Chapter 2274, Government Code, as added by   Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular   Session, 2021, is amended by adding Section 2274.0104 to read as   follows:          Sec. 2274.0104.  ADMINISTRATIVE PENALTY. The Department of   Public Safety may impose an administrative penalty in the same   manner and using the same procedures as Subchapter R, Chapter 411,   against a person who violates this chapter.          SECTION 16.  Section 205.010(a), Local Government Code, is   amended by adding Subdivision (1-a) to read as follows:                (1-a)  "Local government" means a municipality,   county, special district or authority, or any other political   subdivision of this state.          SECTION 17.  Section 205.010, Local Government Code, is   amended by adding Subsections (c), (d), and (e) to read as follows:          (c)  In addition to notifying the attorney general under   Section 521.053, Business & Commerce Code, of a breach of system   security, the local government shall report the breach to the Texas   Homeland Security Division of the Department of Public Safety. The   division shall notify the governor of a breach of system security   reported to the division under this section.          (d)  Not later than the 10th business day after the date of   the eradication, closure, and recovery from a breach, a local   government shall notify the Department of Information Resources,   including the chief information security officer, of the details of   the event and include in the notification an analysis of the cause   of the event.          (e)  The administrative head of a local government commits an   offense if the person intentionally or knowingly fails to notify   the Texas Homeland Security Division of the Department of Public   Safety of a breach of system security as required by Subsection (c).   An offense under this subsection is a Class C misdemeanor.          SECTION 18.  (a) Section 421.021(a), Government Code, as   amended by Chapters 93 (S.B. 686), 616 (S.B. 1393), and 1217 (S.B.   1536), Acts of the 83rd Legislature, Regular Session, 2013, is   repealed.          (b)  Section 421.021(c), Government Code, is repealed.          SECTION 19.  As soon as practicable after the Texas Homeland   Security Division of the Department of Public Safety of the State of   Texas is established, the division shall notify each state agency   and local government of the requirements to notify the division of a   breach of system security under Section 2054.1125, Government Code,   as amended by this Act, and Section 205.010, Local Government Code,   as amended by this Act, including the criminal penalties that may be   imposed for failure to comply with those requirements.          SECTION 20.  It is the intent of the 88th Legislature,   Regular Session, 2023, that the amendments made by this Act be   harmonized with another Act of the 88th Legislature, Regular   Session, 2023, relating to nonsubstantive additions to and   corrections in enacted codes.          SECTION 21.  This Act takes effect September 1, 2023.