The Texas Department of Information Resources (department) proposes amendments to 1 Texas Administrative Code (TAC) Chapter 202, §§202.1, 202.23, 202.27, 202.73, and 202.77, concerning Information Security Standards. The proposed changes update the Texas Risk and Authorization Management Program (TX-RAMP) to incorporate necessary programmatic changes to address cybersecurity and stakeholder needs and expands upon the requirements for the information security assessment and report required by Texas Government Code §2054.515(c). The department also proposes a new section, §202.5, to create a singular location for all TX-RAMP requirements for the department and instructions on how vendors may adhere to the requirements of the program.

The department amends the title of 1 TAC Chapter 202, Subchapter A, to include "and Responsibilities" to reflect the expansion of elements within Subchapter A outside of definitions.

In §202.1, the department corrects certain grammatical errors within definitions used by 1 TAC Chapter 202. The department also revises the definition for "security incident" and creates a new definition for "local government."

In §202.23, for state agencies, and §202.73, for institutions of higher education, the department proposes amendments that establish the minimum requirements for an entity's biennial information security assessment as well as the method and time by which an entity must report its information security assessment to all statutorily-identified parties. In addition, the department proposes amendments that incorporate statutory admonishments to state agencies, local governments, and institutions of higher education on notifyng the department of the conclusion of a security incident within 10 days after the eradication, closure, and recovery from a security incident.

In §202.23, the department incorporates reporting requirements for local government security incidents as required by Senate Bill 271 [88th Legislature (Regular)]. The proposed local government security incident reporting mimic those requirements currently existing for state agencies.

In §202.27, for state agencies, and §202.77, for institutions of higher education, the department proposes amendments to streamline the sections to include only those items that are specific to the type of entity to which the subchapter is applicable.

The department proposes the creation of a new section, §202.5, concerning TX-RAMP. The Texas Legislature passed Senate Bill 475 (SB 475), which created the state risk and authorization management program, in the 87th Regular Session. Under TX-RAMP, the department must provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services. This requires the department to institute a number of regulatory requirements and procedures, both for itself and vendors who are seeking to become or are already TX-RAMP certified, that apply regardless of whether the customer is a state agency or institution of higher education. The proposed new section consolidates department and vendor requirements that are identical regardless of customer entity.

The proposed rule applies to state agencies, institutions of higher education, and, in limited scope as required by Senate Bill 271 [88th Legislative Session (Regular)], local governments, a term which may include approximately 1,100 rural communities as defined by Texas Government Code §2006.001(1-a). It does not apply to small business or micro-businesses. As a result, there is no economic impact on small businesses or micro-businesses as a result of enforcing or administering the amended rule as proposed.

There is no adverse economic impact to rural communities as a result of the proposed rule. Previously, rural communities who found themselves the victim of a security incident were required to address the recovery from the security incident on their own. With the passage of Senate Bill 271 [88th Legislative Session (Regular)], local governments, including rural communities as defined by by Texas Government Code §2006(1-a), are now required to comply with the same security incident reporting rules imposed upon state agencies and institutions of higher education. The department discussed this matter extensively with local governments prior to the passage of Senate Bill 271 [88th Legislative Session (Regular)] to ensure that there was no adverse impact to local governments, including rural communities. Rural communities must report their security incidents by either submitting a form through the department-hosted system or call to a specified department number to report a security incident. This allows rural communities to receive efficient and increased access to department support and resources where before rural communities may not have known who to contact during a security incident and not been able to receive department and/or statewide assistance in a timely fashion. Due to the lack of complexity associated with how rural communities are required to report security incidents and the benefits associated with reporting, there is no adverse economic impact to rural communities.

The department worked extensively with local government representatives during the legislative session and following the passage of Senate Bill 271 [88th Legislative Session (Regular)] to ensure that the required rules imposed the least administrative burden upon local governments, including rural communities. As proposed, these rules are the least burdensome means of implementing the statutory requirements.

The assessment of the impact of the proposed changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education (ITCHE) in compliance with Texas Government Code §2054.121(c). DIR submitted the proposed amendments to the Information Technology Council of Higher Education for their review. DIR determined that there was no direct impact on institutions of higher education as a result of the proposed rules.

Nancy Rainosek, Chief Information Security Officer for the State of Texas, has determined that there will be no fiscal impact upon state agencies, institutions of higher education, and local government during the first five year period following the adoption of the proposed amendments. By permitting certain third-party certifications or attestations to partially satisfy TX-RAMP certification requirements at the department's discretion and realigning baseline levels to permit entities to assess required needs based upon an impact standard, the department has increased the overall effectiveness of the TX-RAMP rules and addresses the statutory requirement for the department to administer a robust and standardized security assessment program for cloud computing service providers. The department's creation of minimum requirements for the information security assessment that each state agency and institution of higher education must complete allows for a rigorous yet still customizable assessment that entities must complete at least biennially to determine the entity's overall security; many of the minimum requirements align with best practice standards already required for information security and, as such, do not result in a fiscal impact. Furthermore, local government's reporting of security incidents, in alignment with Senate Bill 271 [88th Legislative Session (Regular)] and the proposed rule requirements, allow local governments better access to department expertise and support, which not only results in no fiscal impact but may actually alleviate tension upon local government resources. There is no fiscal impact as a result of the proposed changes to state agencies, institutions of higher education, and local government. Ms. Rainosek has further determined that for each year of the first five years following the adoption of the amended 1 TAC Chapter 202, there are no anticipated additional economic costs to persons or small businesses required to comply with the amendments and proposed new rules.

Pursuant to Texas Government Code §2001.0221, the agency provides the following Governmental Growth Impact Statement for the proposed amendments. The agency has determined the following:

The proposed rules neither create nor eliminate a government program. The TX-RAMP program and the information security assessment and report were created by Senate Bill 475 during the 87th Legislature and the proposed rules merely administer and implement these required items.

Implementation of the proposed rules does not require the creation or elimination of employee positions. There are no additional employees required nor employees eliminated to implement the rule as amended.

Implementation of the proposed rules does not require an increase or decrease in future legislative appropriations to the agency. There is no fiscal impact as implementing the rule does not require an increase or decrease in future legislative appropriations.

The proposed rules do not require an increase or decrease in fees paid to the agency.

The proposed rules create a new rule section that consolidates existing duplicated requirements for the department and cloud computing services found in Subchapters B and C. A significant portion of the information contained in the new rule section previously existed in 1 TAC §§202.27 and 202.77.

The proposed rules do not repeal an existing regulation.

The proposed rules do not increase or decrease the number of individuals subject to the rule's applicability. 1 TAC §202.23(e) as proposed now requires local governments to report security incidents as defined by rule. Senate Bill 271 [88th Legislative Session (Regular)] requires local governments to comply with all security incident reporting rules required of state agencies; the department has simply adapted its rule to incorporate this statutory requirement. Beyond the change mandated by Senate Bill 271 [88th Legislative Session (Regular)], the department has neither expanded nor reduced the overall applicability of these rules and, as such, the amount of individuals subject to the rule has not changed.

The proposed rules do not positively or adversely affect the state's economy. The proposed amendments to the TX-RAMP program, local government security incident reporting requirements, and minimum requirements necessary for an entity's information security assessment increase the security of governmental entities.

Written comments on the proposed rules may be submitted to Christi Koenig Brisky, Assistant General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701, or to rules.review@dir.texas.gov. Comments will be accepted for 30 days after publication in the Texas Register.

The amendments are proposed pursuant to Texas Government Code §2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code §2054.0593(c) , which requires the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program; Senate Bill 271 [88th Legislative Session (Regular)], which orders local government compliance with all department rules relating to security incident reporting; and Texas Government Code §2054.515(c), which requires the department to establish the requirements for the information security assessment and report in its administrative rules.

No other code, article, or statute is affected by this proposal.