The Department of Information Resources (department) adopts new 1 TAC §202.28 and §202.78 and amendments to 1 TAC §§202.1, 202.25, and 202.75 without changes from the proposed text as published in the November 18, 2005, issue of the Texas Register (30 TexReg 7629).

The new sections address the need to remove data from any associated storage device prior to the sale or transfer of the data processing equipment. The amendments add requirements to address security issues related to wireless access to state systems, conducting vulnerability assessments, clarify language and correct grammar.

The department received the following comments on the proposal:

1. Section 202.25(7)(W)(ii), Information Resources Security Safeguards. The proposed language specifies a "...cryptographic keys used are larger than 80-bits." We believe the cryptographic key should be a minimum of 128 bits.

Department reply: The department disagrees with the requested change. The National Institute of Standards and Technology (NIST) Special Publication 800-48, "Wireless Network Security 802.11, Bluetooth and Handheld Devices" addresses this issue under §3.3 Security of 802.11 Wireless LANs. The NIST states that: "As defined in the 802.11 standard, WEP supports only a 40-bit cryptographic keys size for the shared key. However, numerous vendors offer nonstandard extensions of WEP that support key lengths from 40 bits to 104 bits." "...Research has shown that key sizes of greater than 80-bits, for robust designs and implementations, make brute-force cryptanalysis (code breaking) an impossible task. For 80-bit keys, the number of possible keys--a keyspace of more than 10²⁶ --exceeds contemporary computing power." Based on the restrictions of the current 802.11 standard and the NIST assessment, no additional change to the rule is made.

2. Can additional language be added to the rule specifically addressing the following 3 questions:

Does the rule prohibit the use of wireless handheld devices, e.g., Blackberry, cell phones, PDAs?

Does the rule allow wireless handheld devices to be used on a state-provide wireless access point (WAP)?

Does the rule prohibit the use of wireless handheld devices on a personal installed WAP?

Department reply: The rule does not prohibit or specify types of handheld devices to be used. The rule only requires that each state agency publish a wireless security policy if the agency elects to allow wireless access to its systems. No additional change to the rule is made in response to the comments.

3. The determination made by Bill Perez, Security Division Director, that there will be no fiscal implications for state or local government if the amendments or new sections are adopted appears to be incorrect. State and local government will be impacted by the cost associated with the software tools needed to prepare the storage media to meet the 5220.22 standard and more importantly the time required to actually execute the software tool to make the storage media 5220.22 compliant.

Department reply: The guideline published by the department identifies free software tools to make the storage media 5220.22 compliant. While the time it takes to make the storage media 5220.22 compliant may vary by media size and number of passes required, no one is required to be present during this process. No additional change to the rule is made in response to these comments.

The amendments are adopted under §2054.130, Texas Government Code, which requires the department to adopt rules on the removal of data prior to the sale or transfer of data processing equipment, and §2054.052(a), Texas Government Code, which authorizes the department to adopt rules necessary to implement its responsibilities under the Information Resources Management Act.