The Texas Department of Information Resources (department) adopts amendments to 1 Texas Administrative Code Chapter 202, concerning Information Security Standards. 1 Texas Administrative Code §§202.1 - 202.4, 202.20 - 202.22, 202.24, 202.25, 202.70 - 202.72, 202.74, and 202.75 are adopted without changes to the proposal as published in the September 10, 2021, issue of the Texas Register (46 TexReg 5664). In addition, the department adopts two new sections, §202.27 and §202.77, which are adopted without changes to the proposal as published in the September 10, 2021, issue of the Texas Register (46 TexReg 5664). The rules will not be republished.

The amendments to 1 Texas Administrative Code §202.23 and §202.73 are adopted with nonsubstantive changes to the proposal as published in the September 10, 2021, issue of the Texas Register (46 TexReg 5664) in response to comments received from the public. These rules will be republished.

DIR is not adopting amendments proposed to 1 Texas Administrative Code §202.26 and §202.76 as published in the September 10, 2021, issue of the Texas Register (46 TexReg 5664) at this time.

The adopted amendments are the result of the department's statutory quadrennial rule review of 1 Texas Administrative Code Chapter 202 in addition to expanded rulemaking authority granted by the 87th Legislature. The department's formal notice of rule review was published in the May 17, 2019, issue of the Texas Register (44 TexReg 2473). The proposed rules were published in the September 10, 2021, issue of the Texas Register (46 TexReg 5664).

The adopted rules apply to both state agencies and institutions of higher education.

Comments Received by the Department in Response to the Proposed Rule

The department received comments in response to the proposed amendments as discussed below.

The department received comments on the rules proposed establishing the Texas Risk and Management Authorization Program (TX-RAMP) and the definitions pertinent to TX-RAMP.

A customer state agency recommended that the department remove the proposed phrase and definition "nonconfidential data" as found at 1 Texas Administrative Code §202.1(31), remove all references to "nonconfidential data" found in the proposed 1 Texas Administrative Code §202.27, and replace such references with data classification categories provided in a department-promulgated data classification guidelines document. The department declined to make this change as nonconfidential data and confidential data, as referenced by 1 Texas Administrative Code §202.27, are not meant to establish specifics of a statewide data classification scheme. Further, the term confidential data could include multiple data classification categories created by a state agency.

A customer state agency recommended that DIR remove the proposed phrase and definition "State-Controlled Data" as found at proposed 1 Texas Administrative Code §202.1(43) and referenced by 1 Texas Administrative Code §202.27 and replace it and any references to it with "Agency Data," with the proposed definition provided by the customer state agency for that term. The department declined to make this change as the Texas Risk and Authorization Management Program establishes a standardized approach for the security of cloud computing services that process the data controlled by a state agency. The purpose of this processing or the ownership of the state agency data is not applicable to this program.

A vendor identified that there might be fiscal impacts to state agencies as a result of TX-RAMP and requested clarity into the applicability of TX-RAMP to local governments and upon the use of next generation technology. The department declines to make a change to the proposed rule as a result of this comment as these requirements and applicability of statutory requirements are established by Texas Government Code § 2054.0593.

A vendor inquired as to the interoperability of other State's RAMP and FedRAMP certifications and as to whether the department published any rules for vendors to become certified as TX-RAMP compliant. The department declines to make a change to the proposed rule as specifics regarding the processes of vendor certification are established in the Program Manual created by 1 Texas Administrative Code §202.27(f).

DIR also received comments from customer state agencies regarding proposed amendments that did not pertain to TX-RAMP.

A customer state agency recommended the removal of the proposed security reporting requirement found at 1 Texas Administrative Code §202.23(b)(A)(iv), requiring a state agency to report security incidents assessed to "be an event that compromises, destroys, or alters information systems or applications in any way." The customer state agency identified that this language may have unintended consequences that require state agencies to report every security event, regardless of if such event rises to the level of a security incident. The department considered this comment and proposes the following nonsubstantive amendment to the proposed language to clarify the initial intent: "be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way."

A customer state agency inquired as to whether information security officers must meet with vendors to evaluate their compliance or document risk mitigation plans prior to contract award and questions its ability to document risk mitigation plans prior to contract award. The department declines to make a change to the proposed rule as 1 Texas Administrative Code §202.21(b)(9) does not mandate a state agency evaluate vendor compliance with a risk mitigation plan prior to acquisition of information nor does it require a state agency to fully document its risk mitigation plan.

Department Description of Adopted Changes.

The department adopts amendments correcting existing references to the Texas Government Code, Texas Penal Code, and Texas Business and Commerce Code to be in compliance with legal citation standards in §§202.1 - 202.4, 202.20 - 202.25, and 202.70 - 202.75.

In §202.1, the department adopts amendments adding the following definitions because of new or revised content in Chapter 202: "Application"; "Cloud Computing Service"; "FedRAMP"; "Nonconfidential Data"; "Program Manual"; "Residual Risk"; "Security Assessment"; "State-controlled data"; "StateRAMP"; "Statewide Technology Centers"; and "TX-RAMP."

The department adopts amendments to the definitions of "Control," "Destruction," "Information," "Information Owner," "Information System," "Security Incident," and "Threat" found in §202.1 to reflect current widely accepted industry definitions.

The department adopts amendments to the definition of "Institution of Higher Education" found in §202.2 to reflect current statutory requirements of Texas Government Code § 2054.0075, stating that public junior colleges shall follow information security standards established by the department.

The department further adopts amendments to the definition of "state agency" found in §202.3 for clarity.

In §202.4, the department adopts amendments clarifying the responsibilities of the State's Chief Information Security Officer (Chief Information Security Officer) to extract currently-existing Chief Information Security Officer duties for which individual state agency and institution of higher education staff are already responsible under 1 Texas Administrative Code Chapter 202; extend authority of this role over the coordination of certain policies, standards, and guidelines of entities operating or exercising control over State-controlled data; and task the Chief Information Security Officer with providing strategic direction to the Statewide Technology Centers in addition to other currently existing duties of this role.

In §202.20, for state agencies, and §202.70, for institutions of higher education, the department adopts amendments tasking state agency and institution of higher education heads with ultimate responsibility for information security while permitting the agency or institution of higher education head to delegate specific operational responsibilities to a designated representative, if they so choose.

In §202.21, for state agencies, and §202.71, for institutions of higher education, the department adopts amendments incorporating by reference Texas Government Code § 2054.136, addressing requirements for and responsibilities of a designated Information Security Officer and removing the list of Information Security Officer responsibilities that are enumerated at this statutory reference. Further, the department adopts amendments clarifying the role of the Information Security Officer in risk and security assessments and expanding their participation in the development of organizational policies necessary to protect the security of information and information resources against unauthorized access or exposure. In addition, the department adopts amendments removing language that only requires security verification and risk mitigation prior to the purchase of new high impact computer applications and replacing this language to require the implementation of security verification and development of risk mitigation plans prior to acquisitions of new information systems or the deployment of internally developed information systems.

In §202.22, for state agencies, and §202.72, for institutions of higher education, the department adopts amendments clarifying staff responsibilities for Information Security Owners and Information Custodians.

In §202.23, for state agencies, and §202.73, for institutions of higher education, the department adopts amendments to the annual reporting requirement that require an Information Security Officer to provide an annual security report directly to the agency head. The department further expands incident reporting requirements to the department. The department further removes criticality analysis in reporting requirements and amends the language to consider the nature of the incident when determining how to report.

In §202.24, for state agencies, and §202.74, for institutions of higher education, the department adopts amendments to agency information security program requirements to include periodic assessments in alignment with minimum legal reporting requirements and expanding such assessments to include applications. The department further adopts the expansion of program requirements to include a plan for providing information security for applications. The department further adopts amendments to include specific Texas Government Code citations regarding required security awareness education programs.

In §202.25, for state agencies, and §202.75, for institutions of higher education, the department adopts amendments to the requirements of risk assessments to include the ranking of risks and impacts and remove language regarding inherent risks. The department further clarifies the timeline by which risk assessments shall be conducted. The department adopts the expansion of agency head responsibilities to include the approval of security risk acceptance, transference, or mitigation decisions for all high residual risk systems.

DIR also adopts two new subsections, §202.27, for state agencies, and §202.77, for institutions of higher education, concerning the Texas Risk and Authorization Management Program (TX-RAMP). In these two new subsections, the department addresses the requirements of Senate Bill 475 (87th Session (Regular)) and establishes a Program Manual document published by the department that provides minimum baseline standards for cloud computing security products, and establishes the responsibilities of cloud computing service vendors, governmental entities that will be using such products, and the department in administering the TX-RAMP. It also provides for certain other Risk and Authorization Management Program certifications to satisfy the TX-RAMP requirements as permitted by statute.

The amendments are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code § 2059.053, which authorizes the department to adopt rules related to network security; and Senate Bill 475 (87(R)), which orders the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program.

No other code, article, or statute is affected by this adoption.