Spate of IT-related laws go into effect in Texas next month

Information technology took a front row seat during the Lone Star State’s 2015 legislative session.

Ten bills that passed the Legislature and were signed by Gov. Greg Abbott put specific requirements on the state’s Department of Information Resources — the main agency that handles IT for the state. Among those was legislation to enable the department to hire a statewide data coordinator and a provision charging the governor’s office to establish a commission responsible for transparency and collaboration around data. 

Under HB 1912, the statewide data coordinator will work to improve the control and security of information collected by agencies, and promote sharing and collaboration between agencies within the state government.

Deborah Hujar, DIR’s director of technology planning, policy and governance, said during a webinar that the desire for the position actually stemmed from a recommendation the department made to the Legislature in its biennial performance report. DIR’s interim CIO and Executive Director Todd Kimbriel is currently writing the job description for the new job and hopes to fill the position by Sept. 1, Hujar said.

Meanwhile, SB 1844, creates the Interagency Data Coordination and Transparency Commission, which will review how the state uses, classifies, shares and reports data. The commission will study how the state can collect and post data from agencies online in a machine-readable, open source format that is easily accessible to the public. The commission must report its findings on the status of the state’s data accessibility to the Legislature by Sept. 1, 2016. 

The commission will include two members of the DIR staff, be led by the governor’s office and is expected to hold its first meeting before the end of 2015, according to Hujar.

The new laws also instituted several reporting requirements and other purchasing and contract mandates on DIR and other state agencies, particularly within information security, data management, modernization and consolidation, procurement and contracting.

Amy Clay, Texas DIR’s director of government relations, said during the webinar that the flurry of IT-related legislation represented an increased focus on technology from the Legislature. Clay also said the department was in the early stages of enacting the newly signed laws and would update its website to chronicle the progress.

According to the webinar, the following tech-related laws will go into effect on Sept. 1:

HB 1 — General Appropriations

This large bill includes several IT provisions, including:

• Information Technology Replacement — The law requires agencies that receive IT appropriations to perform a cost-benefit analysis of leasing technology versus purchasing. The law also forces agencies to comply with the state’s Data Center Services, or DCS, requirements and requires agencies and public institutes of higher education to use DIR’s bulk purchasing when making IT purchases. DIR will be required to annually report cost savings from bulk purchases to the Legislative Budget Board, or LBB.
• Server Consolidation Status Update — Agencies that participate in the state’s DCS program will be required to report quarterly to the LBB on how their server consolidations are going. DIR will be required to report quarterly on the status of statewide consolidations.
• Cybersecurity and Legacy System Priorities — DIR will be required to submit to the LBB a list that prioritizes cybersecurity and legacy modernization projects requested by agencies. From there, the LBB will use the list to prioritize funding. Edward Block, the state’s chief information security officer, said state officials are particularly concerned about legacy systems that are no longer supported by their original vendor. The report is due to the LBB by Oct. 1, 2016.
• Cybersecurity Purchases — Ten specific state agencies — from the aging and disability office to the insurance department — will be required to coordinate with DIR to ensure that security standards are met when an agency purchases cybersecurity technology. In addition, DIR will have the authority to require those agencies to use its bulk purchasing agreements to buy information security technology.

SB 34 — Overall State Information Security

Under this law, DIR is required to submit a report to state leadership that evaluates the overall information security of the state government. The report from DIR to leadership comes in the January of odd number years. Last year, lawmakers passed a law requiring state agencies to report their cybersecurity plans to DIR in even numbered years.

SB 1877 — Data Use Agreements

Agencies will be required to develop data use agreements for employees who handle sensitive information. After an agreement is established, those employees will be required to complete cybersecurity awareness training.

SB 1878 — Study on Accessing Electronically Stored Information

DIR will need study the feasibility of establishing new identification and access requirements for certain information electronically stored by the state. The report on the study must be issued by Nov. 30, 2016. In the meantime, Block said DIR was attempting to find the best model to do that going forward.

HB 855 — Internet Browsers and Compatibility

DIR will identify the three most used browsers to access state websites. The department will post the list on their website, and other state agency websites must be compatible with each of the browsers.

But compatible doesn’t necessarily mean optimized, Hujar said.

“The idea behind this bill was to help the public access government information more easily,” Hujar said. “We’re working on an approach to make this information available to agencies as soon as possible.”

HB 1890 — Legacy System Study Recommendations

John Van Hoorn, DIR’s director of enterprise solution services, said the law required the department to develop a modernization strategy for the state’s legacy systems. After the strategy is complete, the department will need to build on it by establishing a statewide app development framework and facilitating standardization and collaboration among agencies.

To determine the viability of a single statewide solution to the state’s legacy system problem, Van Hoorn said the state will put in place a voluntary application portfolio management pilot program and a business analytics pilot.

HB 2000 — DIR Cooperative Contracts Customer Base

DIR already has a Cooperative Contracts option available to state agencies and all public schools; however HB 2000 expands the customer base to also include the Electric Reliability Council of Texas, Lower Colorado River Authority, private schools, private or independent institutions of higher education and volunteer fire departments.

SB 20 — State Contracting and Procurement Changes

This will change DIR’s procurement and contracting process. When agencies need to procure or contract out cloud, managed services or IT security services, agencies will need to submit a draft statement of work, or SOW, to DIR before sending it to the selected vendor. At the conclusion of the award, agencies and DIR will need to sign off on that SOW.

In addition, the law also instated new requirements for how many vendors an agency must request pricing quotes from.

If the procurement is less than $50,000, the agency will only be required to submit pricing to one vendor. If the procurement is between $50,000 and $150,000, the agency is required to submit pricing requests to three vendors. If it is between $150,000 and $1 million, agencies must submit pricing requests to at least 6 vendors. If the procurement is more than $1 million, however, agencies will need to post their own solicitation for awards on a bid through a request for proposal or another means.

DIR is working on a portal to make the review process as fast as possible, according to Grace Windbigler, the director of DIR’s technology sourcing office.

Editor’s Note: An earlier version of this article reported one of the procurement limits as $120,000. It has been corrected to represent $150,000. This article was also updated to include additional clarifying information from the Texas Department of Information Resources.