PART 10. DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202. INFORMATION SECURITY STANDARDS
The Texas Department of Information Resources (department) adopts amendments to 1 Texas Administrative Code Chapter 202, §§202.1, 202.5, 202.23, 202.27, 202.73, and 202.77, concerning Information Security Standards. 1 Texas Administrative Code §§202.1, 202.23, 202.27, 202.73, and 202.77 are adopted without changes to the proposal as published in the September 8, 2023, issue of the Texas Register (48 TexReg 4937) and will not be republished.
The department adopts §202.5 with nonsubstantive changes to the rule as published in the September 8, 2023, issue of the Texas Register (48 TexReg 4937) in response to comments received from the public. This section will be republished.
The adopted rules apply to both state agencies and institutions of higher education. Section 202.23 applies, in limited scope, to local governments as defined by Texas Government Code § 2054.003(9).
Comments Received by the Department in Response to the Proposed Rule
The department received comments in response to the proposed amendments as discussed below.
A customer state agency recommended that the department update the phrase "security incident," as found at §202.1(41), to read as "reportable security incident" and update all references of the term in 1 Texas Administrative Code Chapter 202 to reflect the new defined phrase. The department declines to make a change to the proposed rule as a result of this comment as the department only uses the defined phrase "security incident" to reference incidents that must be reported to the department.
A vendor recommended that the department amend §202.5(d)(1) to clarify how a vendor can indicate "compliance with FedRAMP and StateRAMP authorizations in satisfaction of the baselines established by subsection (a) once the department receives evidence of compliance with these programs." The vendor indicated that the proposed language may lead the vendor community to believe that they must attain both a FedRAMP and StateRAMP certifications to be considered compliant with a corresponding TX-RAMP level. DIR considered this comment and proposes the following nonsubstantive amendment to the proposed language to clarify the initial intent: "The department shall accept a vendor's compliance with FedRAMP or StateRAMP authorizations in satisfaction of the baselines established by subsection (a) once the department receives evidence of compliance with the respective program."
A local government recommended that the department update its requirements for local government reporting as found at §202.23(e) to reflect that only "qualified and authorized personnel of" the entity be eligible to report a security incident; the local government also requested that the department clarify the 48-hour notification timeline to indicate whether this represented a contiguous 48 hours or two business days. The department declines to make changes to the proposed rule as a result of these comments as administrative rules are intended only to establish the requirements with which local governments must comply. Any entity subject to this rule section is responsible for implementing its own unique organizational policies and procedures to determine who may assess and report a security incident and when they must report within the 48-hour deadline established by statute and rule.
Department Description of Adopted Changes
The department adopts the amendment of the title of 1 TAC Chapter 202, Subchapter A, to include "and Responsibilities" to reflect the expansion of elements within Subchapter A outside of definitions.
In §202.1, the department adopts amendments correcting certain grammatical errors within definitions used by 1 TAC Chapter 202. The department also adopts the revision of the definition for "security incident" and the creation of the new definition for "local government."
In §202.23, for state agencies, and §202.73, for institutions of higher education, the department adopts amendments establishing the minimum requirements for an entity's biennial information security assessment as well as the method and time by which an entity must report its information security assessment to all statutorily identified parties. In §202.23, specifically, the department adopts the incorporation of reporting requirements for local government security incidents as required by Senate Bill 271 [88th Legislature (Regular)]. In addition, the department adopts amendments incorporating statutory admonishments to state agencies, local governments, and institutions of higher education on notifying the department of the conclusion of a security incident within 10 days after the eradication, closure, and recovery from a security incident.
In §202.27, for state agencies, and §202.77, for institutions of higher education, the department adopts amendments that streamline the sections to include only those items that are specific to the type of entity to which the subchapter is applicable.
The department adopts a new section, §202.5, concerning the Texas Risk and Authorization Management Program (TX-RAMP). In this new section, the department consolidates department and vendor requirements within TX-RAMP that are identical regardless of customer entity.
SUBCHAPTER A. DEFINITIONS AND RESPONSIBILITIES
The amendments are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code § 2054.0593(c) , which requires the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program; Senate Bill 271 [88th Legislative Session (Regular)], which orders local government compliance with all department rules relating to security incident reporting; and Texas Government Code § 2054.515(c), which requires the department to establish the requirements for the information security assessment and report in its administrative rules.
No other code, article, or statute is affected by this adoption.
§202.5.Texas Risk and Authorization Management Program Responsibilities and Mandatory Standards.
(a) Mandatory Standards for Cloud Computing Services Subject to the Texas Risk and Authorization Management Program.
(1) The department shall define mandatory standards for Texas cloud computing services identified by subsection (a) of this section in the program manual published on the department's website. Revisions to this document will be executed in compliance with subsection (d) of this section.
(2) The mandatory standards established by the department shall include at least the below stated baseline standards for:
(A) TX-RAMP Level 1 Baseline - This baseline is required for cloud computing services that are subject to TX-RAMP certification and categorized by a state agency as Low Impact Information Resources; and
(B) TX-RAMP Level 2 Baseline - This baseline is required for cloud computing services that are subject to TX-RAMP and categorized by a state agency as Moderate or High Impact Information Resources.
(3) The department shall establish the categories and characteristics of cloud computing services that are subject to TX-RAMP requirements in the program manual published on the department's website pursuant to subsection (a)(1).
(b) Responsibilities of Cloud Computing Service Vendors:
(1) To be certified under TX-RAMP, a cloud computing service vendor shall:
(A) Provide evidence of compliance with TX-RAMP requirements for the cloud computing service as detailed by the program manual; and
(B) Demonstrate continuous compliance in accordance with the program manual.
(2) Primary contracting vendors who provide or sell cloud computing services subject to TX-RAMP, including resellers who provide or sell these services, shall present evidence of certification of the cloud computing service being sold to the state agency or institution of higher education in accordance with the program manual. Such certification is required for all cloud computing services subject to TX-RAMP being provided through the contract or in furtherance of the contract, including services provided through subcontractors or third-party providers.
(3) Subcontractors or third-party providers responsible solely for servicing or supporting a cloud computing service provided by another vendor shall not be required to provide evidence of certification.
(c) Responsibilities of the Department:
(1) Prior to publishing new or revised program standards as required by subsections (a) - (b) of this section, the department shall:
(A) solicit comment through the department's electronic communications channels for the proposed standards to be changed from the Information Resources Managers and Information Security Officers of state agencies and institutions of higher education and ITCHE; and
(B) after reviewing the comments provided, present the proposed program manual to the department's Board and obtain approval from the Board for publication.
(2) The department shall:
(A) perform assessments to certify cloud computing services provided by cloud computing vendors; and
(B) publish on the department's website the list of cloud computing products certified under TX-RAMP.
(d) Acceptance of External Assessments.
(1) The department shall accept a vendor's compliance with FedRAMP or StateRAMP authorizations in satisfaction of the baselines established by subsection (a) once the department receives evidence of compliance with the respective program.
(2) At the department's discretion, another state's risk and authorization management program certification may be accepted in satisfaction of the baselines established by subsection (a) once certification is demonstrated by the vendor in alignment with program manual standards.
(3) At the department's discretion, the department may allow a third-party security assessment or third-party audit to satisfy certain mandatory program standards. A vendor may demonstrate satisfaction of certain mandatory program standards by submitting a third-party security assessment or third-party audit that the department has authorized to align with and satisfy these standards.
The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.
Filed with the Office of the Secretary of State on October 27, 2023.
TRD-202303993
Joshua R. Godbey
General Counsel
Department of Information Resources
Effective date: November 16, 2023
Proposal publication date: September 8, 2023
For further information, please call: (512) 475-4531
The amendments are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code § 2054.0593(c) , which requires the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program; Senate Bill 271 [88th Legislative Session (Regular)], which orders local government compliance with all department rules relating to security incident reporting; and Texas Government Code § 2054.515(c), which requires the department to establish the requirements for the information security assessment and report in its administrative rules.
No other code, article, or statute is affected by this adoption.
The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.
Filed with the Office of the Secretary of State on October 27, 2023.
TRD-202303994
Joshua R. Godbey
General Counsel
Department of Information Resources
Effective date: November 16, 2023
Proposal publication date: September 8, 2023
For further information, please call: (512) 475-4531
The amendments are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code § 2054.0593(c) , which requires the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program; Senate Bill 271 [88th Legislative Session (Regular)], which orders local government compliance with all department rules relating to security incident reporting; and Texas Government Code § 2054.515(c), which requires the department to establish the requirements for the information security assessment and report in its administrative rules.
No other code, article, or statute is affected by this adoption.
The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.
Filed with the Office of the Secretary of State on October 27, 2023.
TRD-202303995
Joshua R. Godbey
General Counsel
Department of Information Resources
Effective date: November 16, 2023
Proposal publication date: September 8, 2023
For further information, please call: (512) 475-4531
The Texas Department of Information Resources (department) adopts 1 Texas Administrative Code (TAC) Chapter 218, Subchapter A, §§218.1 - 218.3, Subchapter B, §218.10, and Subchapter C, §218.20, without changes to the proposal as published in the September 8, 2023, edition of the Texas Register (48 TexReg 4946). These will not be republished.
The adopted rules apply to state agencies and institutions of higher education.
Comments Received by the Department
The department received no comments in response to the proposed rule.
Description of Adopted Changes
Within Subchapter A, the department adopts §§218.1 - 218.3, which introduce specialized definitions required by the rule, including the terms "data governance program," "data management officer," and "data maturity assessement," and define "state agencies" and "institutions of higher education."
The department adopts subchapter B, §218.20, for state agencies, and subchapter C, §218.30, for institutions of higher education, which establish the minimum requirements that an entity's information security assessment of its data governance program as required by Texas Government Code § 2054.515(a)(2) must meet to be considered compliant with statutory requirements. In §218.30, the department also adopts clarification that the data maturity assessment is considered a statutory component of the information security assessment, which is an information security standard, and, as such, public junior colleges must comply with this requirement subject to Texas Government Code § 2054.0075.
SUBCHAPTER A. DEFINITIONS
The rules are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054, and Texas Government Code § 2054.515(a)(2), which admonishes the department to establish the data maturity assessment requirements by rule.
No other code, article, or statute is affected by this adoption.
The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.
Filed with the Office of the Secretary of State on October 27, 2023.
TRD-202303996
Joshua R. Godbey
General Counsel
Department of Information Resources
Effective date: November 16, 2023
Proposal publication date: September 8, 2023
For further information, please call: (512) 475-4531
The rules are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054, and Texas Government Code § 2054.515(a)(2), which admonishes the department to establish the data maturity assessment requirements by rule.
No other code, article, or statute is affected by this adoption.
The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.
Filed with the Office of the Secretary of State on October 27, 2023.
TRD-202303997
Joshua R. Godbey
General Counsel
Department of Information Resources
Effective date: November 16, 2023
Proposal publication date: September 8, 2023
For further information, please call: (512) 475-4531
The rules are adopted pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054, and Texas Government Code § 2054.515(a)(2), which admonishes the department to establish the data maturity assessment requirements by rule.
No other code, article, or statute is affected by this adoption.
The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.
Filed with the Office of the Secretary of State on October 27, 2023.
TRD-202303998
Joshua R. Godbey
General Counsel
Department of Information Resources
Effective date: November 16, 2023
Proposal publication date: September 8, 2023
For further information, please call: (512) 475-4531