The Texas Department of Information Resources (department) adopts amendments to 1 Texas Administrative Code Chapter 202, §§202.1, 202.5, 202.23, 202.27, 202.73, and 202.77, concerning Information Security Standards. 1 Texas Administrative Code §§202.1, 202.23, 202.27, 202.73, and 202.77 are adopted without changes to the proposal as published in the September 8, 2023, issue of the Texas Register (48 TexReg 4937) and will not be republished.

The department adopts §202.5 with nonsubstantive changes to the rule as published in the September 8, 2023, issue of the Texas Register (48 TexReg 4937) in response to comments received from the public. This section will be republished.

The adopted rules apply to both state agencies and institutions of higher education. Section 202.23 applies, in limited scope, to local governments as defined by Texas Government Code § 2054.003(9).

Comments Received by the Department in Response to the Proposed Rule

The department received comments in response to the proposed amendments as discussed below.

A customer state agency recommended that the department update the phrase "security incident," as found at §202.1(41), to read as "reportable security incident" and update all references of the term in 1 Texas Administrative Code Chapter 202 to reflect the new defined phrase. The department declines to make a change to the proposed rule as a result of this comment as the department only uses the defined phrase "security incident" to reference incidents that must be reported to the department.

A vendor recommended that the department amend §202.5(d)(1) to clarify how a vendor can indicate "compliance with FedRAMP and StateRAMP authorizations in satisfaction of the baselines established by subsection (a) once the department receives evidence of compliance with these programs." The vendor indicated that the proposed language may lead the vendor community to believe that they must attain both a FedRAMP and StateRAMP certifications to be considered compliant with a corresponding TX-RAMP level. DIR considered this comment and proposes the following nonsubstantive amendment to the proposed language to clarify the initial intent: "The department shall accept a vendor's compliance with FedRAMP or StateRAMP authorizations in satisfaction of the baselines established by subsection (a) once the department receives evidence of compliance with the respective program."

A local government recommended that the department update its requirements for local government reporting as found at §202.23(e) to reflect that only "qualified and authorized personnel of" the entity be eligible to report a security incident; the local government also requested that the department clarify the 48-hour notification timeline to indicate whether this represented a contiguous 48 hours or two business days. The department declines to make changes to the proposed rule as a result of these comments as administrative rules are intended only to establish the requirements with which local governments must comply. Any entity subject to this rule section is responsible for implementing its own unique organizational policies and procedures to determine who may assess and report a security incident and when they must report within the 48-hour deadline established by statute and rule.

Department Description of Adopted Changes

The department adopts the amendment of the title of 1 TAC Chapter 202, Subchapter A, to include "and Responsibilities" to reflect the expansion of elements within Subchapter A outside of definitions.

In §202.1, the department adopts amendments correcting certain grammatical errors within definitions used by 1 TAC Chapter 202. The department also adopts the revision of the definition for "security incident" and the creation of the new definition for "local government."

In §202.23, for state agencies, and §202.73, for institutions of higher education, the department adopts amendments establishing the minimum requirements for an entity's biennial information security assessment as well as the method and time by which an entity must report its information security assessment to all statutorily identified parties. In §202.23, specifically, the department adopts the incorporation of reporting requirements for local government security incidents as required by Senate Bill 271 [88th Legislature (Regular)]. In addition, the department adopts amendments incorporating statutory admonishments to state agencies, local governments, and institutions of higher education on notifying the department of the conclusion of a security incident within 10 days after the eradication, closure, and recovery from a security incident.

In §202.27, for state agencies, and §202.77, for institutions of higher education, the department adopts amendments that streamline the sections to include only those items that are specific to the type of entity to which the subchapter is applicable.

The department adopts a new section, §202.5, concerning the Texas Risk and Authorization Management Program (TX-RAMP). In this new section, the department consolidates department and vendor requirements within TX-RAMP that are identical regardless of customer entity.

The amendments are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code § 2054.0593(c) , which requires the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program; Senate Bill 271 [88th Legislative Session (Regular)], which orders local government compliance with all department rules relating to security incident reporting; and Texas Government Code § 2054.515(c), which requires the department to establish the requirements for the information security assessment and report in its administrative rules.

No other code, article, or statute is affected by this adoption.