The Texas Department of Information Resources (department) proposes amendments to 1 Texas Administrative Code Chapter 202, §§202.1 - 202.4, 202.20 - 202.26, and 202.70 - 202.76, concerning Information Security Standards. The proposed changes include, but are not limited to, the addition of new definitions and modifications of certain existing definitions in §202.1 and §202.3; amendments to clarify the responsibilities of the State's Chief Information Security Officer in §202.4, the agency head in §202.20 and §202.70, the Information Security Officer in §202.21 and §202.71, and various other governmental entity staff in §202.22 and §202.72; amendments to expand security reporting requirements in §202.23 and §202.74; and amendments to update procedures regarding security risks and risk assessments in §202.25 and §202.76. In addition, the department proposes two new subsections, §202.27 and §202.77, that address the legislative requirements of Senate Bill 475 (87th Session (Regular)) to create rules administering the Texas Risk and Authorization Management Program.

The proposed amendments are the result of the department's statutory quadrennial rule review of 1 Texas Administrative Code Chapter 202 in addition to expanded rulemaking authority granted by the 87th Legislature. The notice of rule review was published in the May 17, 2019, issue of the Texas Register (44 TexReg 2473).

In addition, the department proposes correcting references to the Texas Government Code, Texas Penal Code, and Texas Business and Commerce Code to be in compliance with legal citation standards in §§202.1 - 202.4, 202.20 - 202.26, and 202.70 - 202.76.

In §202.2, the department proposes adding the following definitions because of new or revised content in Chapter 202: "Application"; "Cloud Computing Service"; "FedRAMP"; "Nonconfidential Data"; "Program Manual"; "Residual Risk"; "Security Assessment"; "State-controlled data"; "StateRAMP"; "Statewide Technology Centers"; and "TX-RAMP."

The department proposes amending the definitions of "Control," "Destruction," "Information," "Information Owner," "Information System," "Security Incident," and "Threat" found in §202.1 to reflect current widely accepted industry definitions.

The department proposes amending the definition of "Institution of Higher Education" found in §202.2 to reflect current statutory requirement in Texas Government Code § 2054.0075 stating that public junior colleges shall follow information security standards established by the department.

The department further proposes amending the definition of "state agency" found in §202.3 for clarity.

In §202.4, the department proposes clarifying the responsibilities of the State's Chief Information Security Officer (Chief Information Security Officer) to extract currently-existing Chief Information Security Officer duties for which individual state agency and institution of higher education staff are already responsible under 1 Texas Administrative Code Chapter 202; extend authority of this role over the coordination of certain policies, standards, and guidelines of entities operating or exercising control over State-controlled data; and task the Chief Information Security Officer with providing strategic direction to the Statewide Technology Centers in addition to other currently existing duties of this role.

In §202.20, for state agencies, and §202.70, for institutions of higher education, the department proposes amending the section to task the state agency and institutions of higher education heads with ultimate responsibility for information security while permitting the agency or institution of higher education head to designate specific operational responsibilities to a designated representative, if they so choose.

In §202.21, for state agencies, and §202.71, for institutions of higher education, the department proposes incorporating by reference the Texas Government Code section addressing requirements for and responsibilities of a designated Information Security Officer and removing the list of Information Security Officer responsibilities that are enumerated at the statutory reference. Further, the department proposes clarifying the role of the Information Security Officer in risk and security assessments and expand their participation in the development of organizational policies necessary to protect the security of information and information resources against unauthorized access or exposure. In addition, the department proposes removing language that only requires security verification and risk mitigation prior to the purchase of new high impact computer applications and replacing this language to require the implementation of security verification and risk mitigation plans prior to acquisitions of new information systems or the deployment of internally-developed information systems.

In §202.22, for state agencies, and §202.72, for institutions of higher education, the department proposes amendments to clarify staff responsibilities for Information Security Owners and Information Custodians.

In §202.23, for state agencies, and §202.73, for institutions of higher education, the department proposes amending annual reporting requirement to require an Information Security Officer provide an annual security report directly to the agency head. The department further proposes to expand incident reporting requirements to the department. The department further removes criticality analysis in reporting requirements and amends the language to consider the nature of the incident when determining how to report.

In §202.24, for state agencies, and §202.74, for institutions of higher education, the department proposes amending agency information security program requirements to include periodic assessments in alignment with minimum legal reporting requirements and expand such assessments to include applications. The department further proposes that the program requirements expand to include a plan for providing information security for applications. The department further proposes to include specific Texas Government Code citations regarding required security awareness education programs.

In §202.25, for state agencies, and §202.75, for institutions of higher education, the department proposes to amend risk assessments to include the ranking of risks and impacts and remove language regarding inherent risks. The department further proposes clarifying the timeline by which risk assessments shall be conducted. The department further proposes that agency head responsibilities include the approval of security risk acceptance, transference, or mitigation decisions for all high residual risk systems.

In §202.26, for state agencies, and §202.76, for institutions of higher education, the department proposes amending mandatory security controls to include minimum information security requirements for applications and that such minimum standards shall use risk categorizations, rather than levels, to determine the level of information security required. The department further proposes removing requirements to use performance-based standards and guidelines that permit the use of off-the-shelf commercially developed products and amends the language to require the use of flexible standards and guidance that permit the use of commercial off-the-shelf products. The department further proposes permitting a state agency or institution of higher education head to employ more stringent security standards for applications. In §202.76, the department proposes amending language to include the Information Technology Council for Higher Education in the process to review the mandatory security controls to align 1 Texas Administrative Code §202.76 with 1 Texas Administrative Code §202.26.

DIR also proposes the creation of two new subsections, §202.27, for state agencies, and §202.27, for institutions of higher education, concerning the Texas Risk and Authorization Management Program (TX-RAMP). The Texas Legislature passed Senate Bill 475 (SB 475) in the 87th Regular Session. SB B475 created the TX-RAMP program, which would provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services, and tasked the department with adopting rules administering certain aspects of TX-RAMP. In these two new subsections, the department addresses the requirements of Senate Bill 475 (87th Session (Regular)) and establishes a Program Manual document published by the department that provides minimum baseline standards for cloud computing security products, and establishes the responsibilities of cloud computing service vendors, governmental entities that will be using such products, and the department in administering the TX-RAMP. It also provides for certain other Risk and Authorization Management Program certifications to satisfy the TX-RAMP requirements.

There is no economic impact on rural communities or small businesses as a result of enforcing or administering the amended rule as proposed.

The changes to the chapter apply to state agencies and institutions of higher education.

The assessment of the impact of the proposed changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education (ITCHE) in compliance with Texas Government Code § 2054.121(c). DIR submitted the proposed amendments to the Information Technology Council of Higher Education for their review and impact assessment. ITCHE determined that there was no direct impact on institutions of higher education as a result of the proposed rule. Regarding the new §202.77, ITCHE will be consulted, in compliance with §202.77, to determine any potential impacts as a result of the program manual; specific ITCHE discussion points raised during the impact analysis, such as efficient processes, timing of such processes, and procedures, will be addressed by the program manual. ITCHE will be involved in such discussions.

Nancy Rainosek, Chief Information Security Officer for the State of Texas, has determined that during the first five-year period following the adoption of the new 1 TAC Chapter 202, there will be no fiscal impact on state agencies, institutions of higher education, and local governments. The clarification of terms, definitions, specific information security standards and organizational responsibilities, security reporting requirements, and security control standards highlighted in the rules increase the effectiveness of the chapter and do not result in a fiscal impact. The creation of rules administering the Texas Risk and Authorization Management Program is in compliance with the department's specific rulemaking authority granted by Senate Bill 475 (87th Regular Session) and addresses the statutory requirements for the department to administer a robust and standardized security assessment program for cloud computing service providers but does not result in a fiscal impact to state agencies, institutions of higher education, and local government. Ms. Rainosek has further determined that for each year of the first five years following the adoption of new 1 TAC Chapter 202, there are no anticipated additional economic costs to persons or small businesses required to comply with the amendments and proposed new rules.

Pursuant to Government Code § 2001.0221, the agency provides the following Governmental Growth Impact Statement for the proposed amendment. The agency has determined the following:

1. The proposed rules create the Texas Risk and Authorization Management Program in compliance with the requirements of Senate Bill 475 (87th Session (Regular)). This program was created by statute; the department is tasked with the operation of the Risk and Authorization Management Program and ordered to create rules administering such a program. The proposed rules do not eliminate a government program.

2. Implementation of the proposed rules does not require the creation or elimination of employee positions. There are no additional employees required nor employees eliminated to implement the rule as amended.

3. Implementation of the proposed rules does not require an increase or decrease in future legislative appropriations to the agency. There is no fiscal impact as implementing the rule does not require an increase or decrease in future legislative appropriations.

4. The proposed rules do not require an increase or decrease in fees paid to the agency.

5. The proposed rules create new subsection of the rules that govern the Texas Risk and Authorization Management Program.

6. The proposed rules do not repeal an existing regulation.

7. The proposed rules do not increase or decrease the number of individuals subject to the rule's applicability. The department has neither expanded nor reduced the overall applicability of these rules and, as such, the amount of individual subject to the rule has not changed. The definition of institution of higher education now includes public junior colleges without requiring the assent of the Higher Education Coordinating Board; however, this amendment is resultant of a statutory amendment and brings the rule into alignment with statute.

8. The proposed rules do not positively or adversely affect the state's economy. The Texas Risk and Authorization Management Program, created by Senate Bill 475 (87th Session (Regular)) and administered by the department, would increase the security and reliability of cloud computing service products used by governmental entities.

Written comments on the proposed rules may be submitted to Christi Koenig Brisky, Assistant General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701, or to rules.review@dir.texas.gov. Comments will be accepted for 30 days after publication in the Texas Register.

The amendments are proposed pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code § 2059.053, which authorizes the department to adopt rules related to network security; and Senate Bill 475 (87(R)), which orders the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program.

No other code, article, or statute is affected by this proposal.