BILL ANALYSIS

H.B. 1500

By: Bell, Keith

Delivery of Government Efficiency

Committee Report (Unamended)

BACKGROUND AND PURPOSE

As the state's information technology (IT) agency, the Department of Information Resources (DIR) coordinates technology planning, oversees the state's cybersecurity posture, provides telecommunications services, and manages the state's cooperative IT procurements, data center, and state website. DIR is subject to abolishment under the Texas Sunset Act on September 1, 2025, unless continued by the legislature.

In its review of DIR, the Sunset Advisory Commission recommended continuing it for another 12 years, while including numerous recommendations for changes regarding DIR's structure, duties, and functions. These recommendations include adjusting DIR's advisory committees and restructuring its board to better represent and serve government entities with widely differing IT needs. Moreover, the sunset commission recommended DIR provide more training and assistance to other agencies with their own IT procurements, given the risk to the state of those high-dollar contracts. The sunset commission also recommended providing more cybersecurity training for state and local government entities. H.B. 1500 seeks to implement these recommendations and continue DIR for another 12 years.

CRIMINAL JUSTICE IMPACT

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

RULEMAKING AUTHORITY

It is the committee's opinion that rulemaking authority is expressly granted to the governing board of the Department of Information Resources (DIR) and, if authorized by the governing board of DIR, the executive director of DIR in SECTION 7 of this bill, to the governing board of DIR in SECTION 8 of this bill, and to DIR in SECTION 20 of this bill.

ANALYSIS

H.B. 1500 amends the Government Code to continue the Department of Information Resources (DIR) under the Texas Sunset Act until September 1, 2037, and to remove the provision setting the expiration of the Information Resources Management Act on September 1, 2025. The bill also implements certain recommendations of the Sunset Advisory Commission regarding DIR functions and regarding the composition and training of the DIR governing board.

DIR Board Composition; Board Member Training

Board Composition

H.B. 1500 revises the composition of the DIR governing board, which consists of seven voting members and three nonvoting members, as follows:

·changes the composition of the nonvoting members from two rotating groups of three state agency executives and commissioners, who serve as ex officio members, to the following members appointed by the governor:

oone member who is an employee of a public institution of higher education;

otwo members who are employees of state agencies designated on the list provided to the governor by DIR under the bill's provisions; and

oone member who is an employee of a state agency with fewer than 500 full-time employees;

·removes the requirement for one of the voting members to be an employee of a public institution of higher education; and

·establishes that a nonvoting member serves for a two-year term that expires February 1 of each odd-numbered year.

The bill requires DIR, not later than December 1 of each even-numbered year, to provide the governor a list of the 10 state agencies that spent the most money on DIR products and services during the previous state fiscal year. For purposes of these provisions, the bill establishes that "state agency" has the meaning assigned by the Information Resources Management Act but does not include a department, commission, board, office, council, authority, or other agency in the judicial branch of state government.

H.B. 1500 replaces the requirement for a board member, if the final result of an action brought in a court of competent jurisdiction is that a board member may not serve on the board under the Texas Constitution, for the appropriate individual to promptly submit a list to the governor for the appointment of an eligible replacement with a requirement for the governor to appoint such a replacement.

H.B. 1500 requires the governor, as soon as possible after the bill's effective date, as the terms of members of the board expire or as vacancies occur, to appoint members to the board so that the board is composed in accordance with the bill's provisions, except that the term of the member of the board serving on the board immediately before the bill's effective date who holds the position of the member who is employed by an institution of higher education expires on that date. A member of the governing board whose term expires under these provisions is eligible for reappointment under the bill's provisions. The bill requires the governor, not later than December 1, 2025, to appoint the following members to the board in accordance with the bill's provisions:

·one voting member to serve a term that expires February 1, 2031; and

·one nonvoting member to the position of the member who is employed by an institution of higher education to serve a term that expires February 1, 2027.

DIR Board Member Training

H.B. 1500 updates DIR board training requirements to apply certain of the Sunset Advisory Commission's across-the-board recommendations. The bill establishes that the previous board eligibility requirement to complete certain training, as amended by the bill, applies to a member of the board appointed before, on, or after the bill's effective date. A member of the board who, before the bill's effective date, completed that training is only required to complete additional training on the subjects added to the training program as described by the bill's provisions. The bill prohibits such a member from voting, deliberating, or being counted as a member in attendance at a board meeting held on or after December 1, 2025, until the member completes the additional training.

Certification Course on Procurement of Information Resources Technologies

H.B. 1500 requires DIR, in coordination with the comptroller of public accounts, to develop and implement a certification course on the procurement of information resources technologies and make the course available to a person who holds a state purchasing certification, a contract management certification, or both certifications. The bill requires DIR to provide the course at least quarterly and in person and to certify a state agency employee who successfully completes the course. Successful completion of the course may be credited toward any continuing education requirements for maintaining the purchasing or contract management certifications or both. The bill establishes that "information resource technologies" has the meaning assigned by the Information Resources Management Act.

H.B. 1500 requires DIR to develop and provide annual training for persons who serve in upper management positions at state agencies, including elected or appointed state officers and executive heads, on best practices and methodologies for purchasing information resources technologies. The bill requires DIR to include in this training information that DIR covers in the purchasing and contract management certification programs that is related to the purchase of information resources technologies. The bill authorizes DIR to include additional topics in the training and prohibits DIR from requiring such a person to participate in the training.

DIR Advisory Committees

H.B. 1500 replaces the authorization for the DIR board and the DIR executive director, if authorized by the board, to appoint advisory committees as DIR considers necessary to provide expertise to DIR with an authorization for the board and executive director, if authorized by the board, to establish such advisory committees by rule. The bill requires the board, with respect to an advisory committee whose jurisdiction covers a service provided by DIR to state agencies, to do the following in appointing members to the advisory committee:

·to the extent practicable, ensure that the advisory committee is composed of a cross‑section of DIR customers who use the service; and

·appoint, in addition to the one member who is required to be a state agency employee, at least one member who is an employee of a state agency with 500 or fewer full-time employees.

The bill requires the board to adopt rules to govern each DIR advisory committee and requires those rules to include the following:

·the purpose, role, goals, composition, and duration of the advisory committee;

·as to the advisory committee members:

othe appointment procedures, terms, and quorum requirements;

oconflict-of-interest policies; and

oas advisable, member qualifications or training requirements;

·as appropriate, a method DIR must use to receive public input on issues considered by the advisory committee; and

·as appropriate, a method for sharing findings and information of the advisory committee with the public and the board.

The bill establishes that a DIR advisory committee is subject to statutory provisions governing state agency advisory committees.

H.B. 1500 requires the board by rule to establish advisory committees that advise the board on governing DIR and cover in subject matter DIR's primary functions, including at least one advisory committee for each of the following subjects:

·procurement under provisions relating to the purchase of information technology commodity items;

·the development and implementation of information security programs; and

·the preparation of the state strategic plan for information resources management.

H.B. 1500 requires the board by rule to establish an advisory committee to make recommendations to DIR on improving the effectiveness of DIR's and the state's information security operations. The bill requires the advisory committee to include members who are information security professionals employed by state agencies and local governments and establishes that the presiding officer of the advisory committee is the DIR chief information security officer.

H.B. 1500 requires the board by rule to establish an advisory committee to report to and advise the board on improving the effectiveness and efficiency of services provided by DIR to customers. The bill requires the board to appoint advisory committee members who are employees of state agencies that use DIR services and have 500 or fewer full-time employees, including at least three members who are employees of state agencies that have 150 or fewer full-time employees.

H.B. 1500 repeals provisions establishing the current DIR customer advisory committee and providing for its composition and duties. The bill repeals the requirement for the DIR executive director to appoint an advisory committee to assist in the preparation of the state strategic plan for information resources management and the requirement for such members to be approved by the board and to include officers or employees of state government.

Complaints Filed With DIR

H.B. 1500 updates DIR complaint procedures to apply certain of the Sunset Advisory Commission's across-the-board recommendations.

Procurement Services Pilot Program

H.B. 1500 requires DIR to establish a pilot program under which DIR provides assistance in the procurement of information resources technologies on request by a participating board, commission, office, department, or other agency in the executive, judicial, or legislative branch of state government. The bill conditions such a state agency's participation in the pilot program on written DIR approval. The bill authorizes DIR to limit the number of participating state agencies in the pilot program and the types of information resources technologies for which procurement assistance is provided under the pilot program.

H.B. 1500 authorizes services under the pilot program to include assistance with the following:

·procurement planning;

·developing a cost estimate for an information resources technologies project; and

·drafting and developing a solicitation.

The bill prohibits DIR, with respect to any procurement assistance provided by DIR under the pilot program, from controlling the procurement for which the assistance is provided or the management of any resulting contract. The bill establishes that DIR is not civilly liable for damages resulting from the provision of procurement assistance under the pilot program unless the damages result from intentional conduct or gross negligence.

H.B. 1500 requires DIR, not later than December 1, 2028, to submit a report to the legislature that includes a summary of the pilot program's activities and a recommendation of whether to continue or expand the program. The pilot program expires January 1, 2029.

Reports and Evaluation

H.B. 1500 removes the requirement for the biennial DIR report on the use of information resources technologies by state government to provide a summary of the amount and use of Internet-based training conducted by each state agency and institution of higher education.

H.B. 1500 removes the requirement for DIR to report to the legislature the extent and results of state agencies' compliance with the following statutory requirements:

·the organizational requirement for a state agency's information resources manager to be part of the agency's executive management; and

·the requirement for each state agency to report to DIR its compliance with that requirement as evidenced by an organizational chart of the agency's executive management.

H.B. 1500 requires DIR, once every two years, to conduct a limited evaluation of the information resources deployment review of at least five state agencies to verify the accuracy of those reviews. The bill authorizes DIR to limit the evaluation to review responses on subjects that represent the highest risks or greatest opportunities for improvement regarding the state agency's software, hardware, compliance, and cybersecurity. The bill establishes that DIR is not required to conduct site visits as part of the required limited evaluation. The bill requires DIR to use information received from the limited evaluation to update trainings for and outreach to information resources managers on accurately completing the information resources deployment review and to recommend information resources technology solutions to state agencies as needed.

H.B. 1500 removes the requirement for each state agency, at least once every two years, to conduct an information security assessment of the agency's information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities. The bill requires each state agency to report the results of its data governance assessment not later than June 1 of each even-numbered year to DIR and, on request, to the governor, the lieutenant governor, and the speaker of the house of representatives. Accordingly, the bill repeals statutory provisions establishing conflicting reporting deadlines for the results of the assessments.

Annual Cybersecurity Training

H.B. 1500 expands the applicability of the requirement for employees of state agencies and local governments who use a computer in completing at least 25 percent of the employee's required duties to annually complete a state-certified cybersecurity training program to include all such employees and elected and appointed officials of those local governments. Accordingly, the bill expands the applicability of the authorization for the governing body of a local government, or the governing body's designee, to deny access to the local government's computer system or database to an employee or elected or appointed official determined to be noncompliant with the training program requirement to include any employee or local government official determined to be noncompliant with that requirement.

Information Security Assessment

H.B. 1500 requires DIR to require each state agency, other than a public university system or institution of higher education, to complete at least once every two years an information security assessment and a penetration test to be performed by DIR or, at DIR's discretion, a vendor selected by DIR. The bill requires DIR to establish rules as necessary to implement this requirement, including rules for the procurement of such a vendor.

Repealed Provisions

H.B. 1500 repeals the requirement for the telecommunications elements of the state strategic plan to incorporate efficiencies obtained through the use of shared transmission services and open systems architecture as they become available, building on existing systems as appropriate.

H.B. 1500 repeals the following provisions of the Government Code:

·Section 2054.021(d);

·Section 2054.023(c);

·Section 2054.0331;

·Section 2054.091(d);

·Section 2054.0925(c);

·Section 2054.515(b), as amended by Chapter 567 (S.B. 475), Acts of the 87th Legislature, Regular Session, 2021; and

·Section 2054.515(b), as amended by Chapter 856 (S.B. 800), Acts of the 87th Legislature, Regular Session, 2021.

EFFECTIVE DATE

September 1, 2025.